XL4Poppy Office (OLE) / .XLS malware analysis — malicious · 799a9bfdc7a6c563

MALICIOUS

Office (OLE) / .XLS

1018.0 KB Created: 2009-12-10 08:35:14 Authoring application: Microsoft Excel

MD5: a9fb2bb394f362cd588fd60b23954375 SHA-1: d423b530289ac97af0783cc027163a93fa80b57b SHA-256: 799a9bfdc7a6c5636b58477f230c678c3150400b5c66fd22294bb4591a5ee20c

248 Risk Score

Malware Insights

XL4Poppy · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious due to critical heuristic firings indicating the presence of legacy Excel 4.0 (XLM) Auto_Open macros. These macros are known to be used for executing arbitrary code, and the presence of 'XL4Poppy' and 'Normal_MacroVirus' markers suggests a known macro-virus family. The XLM macros likely contain logic to download and execute a second-stage payload, although the specific execution details are obscured by incomplete formula parsing.

Heuristics 5

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `cd5e75aa1564337e4192d3cccc312b81255a9704abd286f1278204a393e1c00e`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	536554 bytes
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.