Poppy — Office (OLE) malware analysis

Static analysis result for SHA-256 a38cafea2becaa22…

MALICIOUS

Office (OLE)

973.5 KB Created: 2006-07-29 12:19:56 Authoring application: Microsoft Excel First seen: 2015-09-24
MD5: 7b4f335ff86bda2726529c8bf237ebb0 SHA-1: 4bceaf66d1c960c2acde70b1f3f4c20419379dfa SHA-256: a38cafea2becaa22fdf7946929c3a220c67a906f995340ad660eb8662516fecc
60 Risk Score

Malware Insights

Poppy · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing for 'OLE_XLS_FORMULA_MACRO_VIRUS' and the presence of 'Poppy by VicodinES' and 'Excel Formula Macro Virus (XF.Classic)' in the document body strongly indicate the execution of a known legacy Excel macro virus. The script logic includes commands like 'RUN($B$1)' and 'Auto_Open', suggesting an attempt to execute embedded malicious code and infect other workbooks, likely by saving infected copies to the 'xlstart' directory.

Heuristics 1

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.