Office (OLE) / .XLS malware analysis — malicious · e86a1a9c9a7c4cd8

MALICIOUS

Office (OLE) / .XLS

1.07 MB Created: 2010-04-01 13:23:45 Authoring application: Microsoft Excel

MD5: 6cc58a2b1e2676881c2c7416133a5064 SHA-1: 5a34fd7ba1aaf401fc576e8566ffc81204c619cc SHA-256: e86a1a9c9a7c4cd8f80d0bb3b7881b75979bd5ee6213c4728f9baf9feada49f1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Service Execution

The file is identified as a malicious Excel 4.0 (XLM) macro-enabled spreadsheet. The presence of 'OLE_XLM_AUTOOPEN' and 'OLE_XLM_LEGACY_MACRO_VIRUS' heuristics, specifically mentioning 'XL4Poppy', strongly indicates the use of legacy macro functionality for malicious execution. The 'RUN($B$1)' command within the macro sheet suggests that the macro is designed to execute arbitrary code, likely to download and run a secondary payload.

Heuristics 2

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.

Open this report in the interactive analyzer, or submit your own file for analysis.