Malware Insights
The critical heuristic firing indicates a legacy Excel formula macro virus, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network'. The document body confirms this, containing strings like 'Classic.Poppy by VicodinES', 'An Excel Formula Macro Virus (XF.Classic)', and 'The Narkotic Network 1998'. The script's intent appears to be infecting other workbooks and potentially displaying a fake educational report, as suggested by the presence of sheet names like 'Sheet1', 'Sheet2', 'Sheet3', 'XL4Poppy', and the text resembling a report. The IOCs point to the default Excel startup directory and a specific filename, likely where the macro attempts to place its payload.
Heuristics 2
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Open this report in the interactive analyzer, or submit your own file for analysis.