Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fbc57580f9000ee3…

MALICIOUS

Office (OLE)

48.5 KB First seen: 2015-10-01
MD5: af336ff0345aa24d9cbbb0ed09ab1eb0 SHA-1: 94cbf2b8ce47367166cd6b7c3f91f06b96d04631 SHA-256: fbc57580f9000ee33f833792be6f30e383a592f7960722938b5517ddc46e08f2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of a legacy Excel formula macro virus marker, specifically mentioning 'Poppy by VicodinES'. The presence of an OLE_XLM_AUTOOPEN rule firing further confirms the use of Excel 4.0 macros. The DOC BODY contains what appears to be construction cost breakdown data, but the presence of 'XL4Poppy' in the document body and the heuristic firings strongly suggest this is a lure for a macro-based attack.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.