MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
The sample is identified as a legacy Excel formula macro virus, specifically 'Poppy' or 'XF.Classic', which is known to infect other Excel files. The embedded URLs likely serve as distribution points or command and control infrastructure for the malware. The script content explicitly mentions infecting and saving other workbooks, indicating its primary function is propagation.
Heuristics 2
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://mail.viettel.com.vn/Ca
- http://203.113.131.34/Session/55361-fx4aXscKxl0szPlGrwtJ/MessagePart/INBOX/1297-02-B/Co
- http://203.113.131.34/Danh
- http://mail.viettel.com.vn/Setup\Tam_Backup\Book1.xls
- http://203.113.131.34/quanlykho\kho_oto_2002.xls
- http://203.113.131.34/Ha-Dong\thanh
- http://203.113.131.34/TANHOP\DU
- http://203.113.131.34/Documents
- http://203.113.131.34/Luu
- http://203.113.131.34/HIEN\SPM\Tar-Act\Target.xls
- http://203.113.131.34/TREASURY\COMMON\XLDATA\FX\FX
- http://203.113.131.34/3.6\Documents
Open this report in the interactive analyzer, or submit your own file for analysis.