Office (OLE) / .XLS malware analysis — malicious · d53ad8b39c8cc555

MALICIOUS

Office (OLE) / .XLS

659.0 KB Created: 2008-02-16 04:29:40 Authoring application: Microsoft Excel

MD5: 8a2722d5ad032cd917c6bfec23340a9e SHA-1: 925251b84e3f34412aaa53c1e954aaaa69404f95 SHA-256: d53ad8b39c8cc5555f5acd4ce9b1468d31387b32b2b3186f62f0d6bfbd1e24b4

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Excel spreadsheet containing legacy Excel 4.0 (XLM) macros, identified by the OLE_XLM_AUTOOPEN and OLE_XLS_FORMULA_MACRO_VIRUS heuristics. The script excerpts indicate it is designed to infect other workbooks and potentially download or execute further payloads, as suggested by the 'Simple Payload' and 'Add New Workbook, Infect It, Save It As Book1.xls' comments. The presence of strings like 'Classic.Poppy by VicodinES' and 'The Narkotic Network 1998' suggests it may be related to older macro malware families.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.