Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d9a51552486aa384…

MALICIOUS

Office (OLE) / .XLS

480.5 KB Created: 2010-09-15 08:04:06 Authoring application: Microsoft Excel
MD5: acc89b86e096debc1c5f70873e1b5f61 SHA-1: d4b9dbb2bccf18a1672898626d53815d2f35191a SHA-256: d9a51552486aa384817b59414257cc7df385a7135ad6582372d40f18f8f2cabf
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell T1547.001 Registry Run Keys / Startup Folder

The file contains critical heuristic firings indicating the presence of Excel 4.0 (XLM) macros, specifically an Auto_Open entry. The heuristics also flag dangerous formula APIs like RUN, suggesting the macro is designed to execute arbitrary commands. The document body mentions 'Excel Formula Macro Virus (XF.Classic)' and 'Poppy by VicodinES', along with references to infection and payload delivery. The presence of the XLM Auto_Open macro with the RUN function strongly implies an intent to download and execute a second-stage payload or infect the system.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
6ff9a37dafb68da4bf420f5b4b30423481a89cb7ee117d802faaa2462fa11aca		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 200994 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.