Office (OLE) / .XLS malware analysis — malicious · d6da974b670d53dd

MALICIOUS

Office (OLE) / .XLS

1.37 MB Created: 2010-01-29 07:13:48 Authoring application: Microsoft Excel

MD5: 76ed99f6a94c542f81bf6af35d829744 SHA-1: 2dfcc53d3b11983994fe9fde181d8144a1bce38e SHA-256: d6da974b670d53dd03b423a2cbdeed40c7f2fdc0cdaf9989b229cd528d900a9a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1547.001 Registry Run Keys / Startup Folder

The sample is identified as a legacy Excel Formula Macro Virus, specifically mentioning 'Poppy by VicodinES' and 'The Narkotic Network'. Heuristics indicate the presence of Excel 4.0 macros and a formula macro virus marker. The script excerpts suggest the macro attempts to infect other workbooks and potentially establish persistence, indicated by references to registry keys.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.