Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d6ee8ece10eac048…

MALICIOUS

Office (OLE)

70.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-17
MD5: 2e66faeedf6a3e8369901d4fb48ead5d SHA-1: 50fc063b8d67c8b66e0e52e1086b0bfef0f70683 SHA-256: d6ee8ece10eac0480328dcce8610ce0d775cd1f81a8437b1a8e7fd5c57c1d8b2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of a legacy Excel 4.0 macro virus. The document body contains strings referencing 'Excel Formula Macro Virus (XF.Classic)' and 'The Narkotic Network 1998', suggesting the macro's purpose is to infect other workbooks and potentially download further malicious content.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.