XF.Classic Office (OLE) malware analysis — malicious · e782400afcbcbfc9

MALICIOUS

Office (OLE)

108.0 KB Created: 2009-02-24 06:52:25 Authoring application: Microsoft Excel First seen: 2015-09-30

MD5: 8e812516b6a7cda9511860dba573db67 SHA-1: 141f7c0ab88316579c5914693c80d4d9db407e68 SHA-256: e782400afcbcbfc9365e8bf8b139ba6c069f320b151c97ab15088712db45d3b9

80 Risk Score

Malware Insights

XF.Classic · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious due to the presence of critical heuristics indicating a legacy Excel Formula Macro Virus, specifically 'XF.Classic' and 'Poppy by VicodinES'. The extracted document body contains explicit references to these macro names and includes instructions for infecting a workbook and saving it as 'Book1.xls' in the XLSTART directory, suggesting an attempt to establish persistence or facilitate further infection. The macro's intent appears to be the execution of malicious code, likely a downloader.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.