Office (OLE) / .XLS malware analysis — malicious · ddb1e822d7bc17a1

MALICIOUS

Office (OLE) / .XLS

161.0 KB Created: 2002-04-15 01:34:53 Authoring application: Microsoft Excel

MD5: 99df4e72309d72bca3911a246a69c9d9 SHA-1: fbd6f496302a7137184c9fc16d7ab48a3f794df6 SHA-256: ddb1e822d7bc17a161b068c0c13a59976a930c3d78d70cde9f3f786c4d4902cb

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as a legacy Excel formula macro virus, specifically 'Poppy' by VicodinES, also known as XF.Classic. The document body contains text related to an invoice and travel package, which serves as a lure. The embedded heuristics confirm the presence of a formula macro virus and an invoice lure. The script content indicates that the macro infects other workbooks and saves them as 'Book1.xls' in the XLSTART directory, suggesting a mechanism for propagation and potential payload delivery.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Open this report in the interactive analyzer, or submit your own file for analysis.