Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dfef20984ca67a33…

MALICIOUS

Office (OLE)

50.5 KB First seen: 2015-09-30
MD5: 86e4c0255ca35ddb698103ffd4e296f0 SHA-1: 2997d44d7ee58380faebc8d158ec033eece98f4b SHA-256: dfef20984ca67a33eeb72e50d3f1fd7ba1c47aefc34ccb372c25ec6102165904
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel formula macro virus, specifically identified as 'Poppy by VicodinES' and 'The Narkotic Network 1998'. The document body confirms this by referencing 'Classic.Poppy by VicodinES' and 'An Excel Formula Macro Virus (XF.Classic)'. The macro appears designed to infect other workbooks and save them as 'Book1.xls' within the XLSTART directory, suggesting an attempt at persistence.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.