Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e7211c49f36615d2…

MALICIOUS

Office (OLE)

59.0 KB Created: 2006-04-17 02:54:43 Authoring application: Microsoft Excel First seen: 2015-09-15
MD5: 00f5cbea852c34ffa750a53725855c40 SHA-1: c89cf6a5d5dc9d26e4a822e05f4dd3e4b43efa5a SHA-256: e7211c49f36615d26c0ac313f63364cebf8cb6ae0add605a5a9d831fe0030939
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains critical heuristic firings indicating it is a legacy Excel Formula Macro Virus, specifically mentioning 'Poppy by VicodinES' and 'The Narkotic Network'. The presence of Excel 4.0 macros (XLM) and the embedded text referencing 'Classic.Poppy by VicodinES' and 'Hydrocodone/APAP 10-650 For Your Computer' strongly suggests a malicious intent, likely to download and execute further stages or deliver a specific payload. The script section explicitly mentions infecting a workbook and saving it as Book1.xls, indicating a potential mechanism for persistence or further infection.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.