XF.Classic — Office (OLE) malware analysis

Static analysis result for SHA-256 1a9690ce0e8ff6c6…

MALICIOUS

Office (OLE)

512.0 KB Created: 2010-03-15 21:52:27 Authoring application: Microsoft Excel
MD5: 1a7d5ceb7b2253f7c164038010d2a85b SHA-1: 3a174b39d8098229df3b7a7bbca399c5ce4c8e53 SHA-256: 1a9690ce0e8ff6c641bba69668b92b8ed70a3817824b3da54fbec552dc0bc944
60 Risk Score

Malware Insights

XF.Classic · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' directly identifies this sample as the XF.Classic Excel Formula Macro Virus, also known as Poppy. The DOC BODY contains strings like 'Classic.Poppy by VicodinES', 'An Excel Formula Macro Virus (XF.Classic)', and 'The Narkotic Network 1998', confirming its identity and legacy nature. The script's intent is to infect other Excel workbooks, specifically saving them as 'Book1.xls' in the 'xlstart' directory, which is a common method for macro viruses to spread and execute.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.

Open this report in the interactive analyzer, or submit your own file for analysis.