Office (OLE) / .XLS malware analysis — malicious · fdf4f5079f8caaef

MALICIOUS

Office (OLE) / .XLS

2.02 MB Created: 2008-11-12 07:15:42 Authoring application: Microsoft Excel

MD5: ba86a3784d9cc7a056db43440d3ae510 SHA-1: 6cb7f347e82365da72877de2e28f5c7e701aead7 SHA-256: fdf4f5079f8caaef660b0ad601517c78f483e1be62ad0ad5314d958e416da403

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell

The sample is an Excel spreadsheet containing legacy Excel 4.0 (XLM) macros, identified by the 'OLE_XLM_AUTOOPEN' and 'OLE_XLS_FORMULA_MACRO_VIRUS' heuristics. The embedded script comments indicate it's a variant of the 'Classic.Poppy' Excel Formula Macro Virus, which historically has been used to download and execute further payloads or steal information. The script attempts to infect other workbooks and save them as 'Book1.xls' in the 'xlstart' directory, suggesting an intent to establish persistence or spread.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.