Office (OLE) malware analysis — malicious · ca8a1c6d24b64eb3

MALICIOUS

Office (OLE)

59.5 KB Created: 2012-07-05 09:40:07 Authoring application: Microsoft Excel First seen: 2014-12-08

MD5: 87802bbe0e4e286a3dfc467c0cf14d4c SHA-1: b057e1d4daa74e7bfa02bc5d8a552c14c4973dde SHA-256: ca8a1c6d24b64eb3ed9ddde5094fe00e548a323e23646b9037403c80373e1d88

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLS_FORMULA_MACRO_VIRUS heuristic firings. The document body suggests the macro's intent is to infect other workbooks, specifically mentioning 'Infect Workbook' and saving as 'Book1.xls', and refers to itself as an 'Excel Formula Macro Virus'. The specific mention of 'Poppy by VicodinES' and 'The Narkotic Network' suggests a known, albeit older, malware family.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.