Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd8795a371c738e1…

MALICIOUS

Office (OLE)

69.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-19
MD5: 239cfb355644f9febb5d20ae458e1b70 SHA-1: 1f5c8b19496592e4c7b1793fe80dcde2eee26d4b SHA-256: cd8795a371c738e17e91b07cbd341df02ed0286c6a4a7d7c8a6bfbebc4b9303f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel 4.0 macro sheet (XLM) containing legacy macro virus markers, including 'Poppy by VicodinES' and 'The Narkotic Network'. The embedded text indicates it's designed to infect other workbooks and save itself as 'Book1.xls' in the XLSTART directory, suggesting a self-propagating or downloader mechanism.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.