Office (OLE) malware analysis — malicious · d24f749a49563b61

MALICIOUS

Office (OLE)

185.5 KB Created: 2002-04-09 02:36:44 Authoring application: Microsoft Excel First seen: 2012-10-03

MD5: 8592dd1855a014b734a6a6fd685b0179 SHA-1: ef8fbf29f40fdf7a3bf178c50df1211b7f7fa998 SHA-256: d24f749a49563b61914f7159d2fb06025b51157736c3cd9bf9d3fe26351a8ddb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros, specifically triggering a 'Workbook_Open' heuristic. Static analysis identified it as a legacy Excel formula macro virus, with markers indicating it's known as 'Classic.Poppy' or 'XF.Classic' from 'The Narkotic Network'. The embedded VBA code, though not fully detailed in the provided snippet, is designed to infect other workbooks and save them as 'Book1.xls', indicating a self-propagation mechanism.

Heuristics 3

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1599 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1599 bytes
SHA-256: `4c00cf2f18d8f1f4ebd67c0f714aacade61c0b8bef4e131e8fef26c65c2165da`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() End Sub Private Sub Workbook_Open() End Sub Private Sub Workbook_Sync(ByVal SyncEventType As Office.MsoSyncEventType) End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Range) End Sub Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Range) End Sub Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Range) End Sub

SHA-256: 4c00cf2f18d8f1f4ebd67c0f714aacade61c0b8bef4e131e8fef26c65c2165da

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()

End Sub

Private Sub Workbook_Open()

End Sub

Private Sub Workbook_Sync(ByVal SyncEventType As Office.MsoSyncEventType)

End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.