XL4Poppy Office (OLE) / .XLS malware analysis — malicious · 5e95a47e7e195bd9

MALICIOUS

Office (OLE) / .XLS

2.28 MB Created: 2010-08-24 01:14:59 Authoring application: Microsoft Excel

MD5: e71b1e16f95214b58fbb8deec29abc99 SHA-1: e8d8417effb161e0f2d77adeae623aae11308b02 SHA-256: 5e95a47e7e195bd9a71710bb48518ffd9f37b84dd1538371b73e12f5d2b9f577

120 Risk Score

Malware Insights

XL4Poppy · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristic firings. The presence of the 'XL4Poppy' marker strongly suggests this family. The macros are designed to execute automatically, likely to download and run a secondary payload, a common tactic for this type of threat.

Heuristics 2

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.

Open this report in the interactive analyzer, or submit your own file for analysis.