MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1547.001 Registry Run Keys / Startup Folder
The file contains critical heuristic firings indicating it is a legacy Excel 4.0 (XLM) macro virus, specifically identified as XL4Poppy. The document body explicitly mentions 'Classic.Poppy by VicodinES' and 'An Excel Formula Macro Virus (XF.Classic)', along with instructions to 'Add New Workbook, Infect It, Save It As Book1.xls'. This strongly suggests the macro's intent is to infect other Excel files by saving itself as 'Book1.xls' in the Excel startup directory, which is a common method for establishing persistence.
Heuristics 3
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Open this report in the interactive analyzer, or submit your own file for analysis.