Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f0f9712591e49806…

MALICIOUS

Office (OLE)

22.0 KB Created: 2008-10-24 00:58:36 Authoring application: Microsoft Excel
MD5: 0a5ac6beedcbcf92770f201db9c395b9 SHA-1: c457fcfd3829741cf32e8212363a4a52b2cb3040 SHA-256: f0f9712591e49806f73cb4f39c73036658e8f9b174c8a37b46627604a53f186d
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1566.001 Phishing: Spearphishing Attachment T1027 Obfuscated Files or Information

The file is an Excel 4.0 (XLM) macro-enabled workbook. Heuristics indicate the presence of an Auto_Open macro, which is a critical indicator of malicious intent. The DOC BODY and script analysis reveal that this macro is designed to infect other workbooks and save them as 'Book1.xls' in the Excel startup directory, suggesting a self-propagating or persistence mechanism. The presence of 'Poppy by VicodinES' and 'The Narkotic Network 1998' in the document body suggests a legacy macro virus, potentially for delivering further payloads.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
d8f95808ed4ff8852045c4dde37ac300e0003fac006206eca452354419737e0f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 5680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.