Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f078c00af0a09eb9…

MALICIOUS

Office (OLE) / .XLS

50.0 KB Created: 2010-05-20 08:58:52 Authoring application: Microsoft Excel
MD5: b96a9e4eeedee5cce3bf59f5ef581a2e SHA-1: 320e3f782b1573854fe7d5a96d3ec94a6d179a10 SHA-256: f078c00af0a09eb91b3fbd72ee1832e0411d4f3d3f4a43029b87b65c6adf1739
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1059.001 PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1566.001 Phishing: Spearphishing Attachment

The file contains critical Excel 4.0 (XLM) macro firings, including Auto_Open and the use of dangerous functions like RUN. This indicates the macro sheet is designed to execute commands upon opening. The presence of the 'XL4Poppy' string and the 'Poppy by VicodinES' marker in the heuristics strongly suggests a legacy macro-based malware delivery mechanism. The document body contains what appears to be IP address allocation data, which could be used as a lure or to obfuscate the true nature of the file.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
3339654a15be45dce81d20b63f3adeef7498460eeeb0c3c237efd97a58f9ed65		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 31140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.