XL4Poppy Office (OLE) / .XLS malware analysis — malicious · b56d3b93aa0a36cb

MALICIOUS

Office (OLE) / .XLS

1.31 MB Created: 2000-07-19 02:51:14 Authoring application: Microsoft Excel

MD5: 96c664db05af4005e5bb6bad898f1906 SHA-1: 29af7e6db38a4fd8a6f43b7b82184c07f322b125 SHA-256: b56d3b93aa0a36cbd9dbd8987fbb28edbe99b62a2be561b0ba8b0171f8cebb2b

180 Risk Score

Malware Insights

XL4Poppy · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The sample is identified as a legacy Excel 4.0 (XLM) macro virus, specifically associated with the XL4Poppy family. Heuristic firings indicate the presence of macro virus markers like 'XL4Poppy', 'Normal_MacroVirus', 'Poppy by VicodinES', and 'XF.Classic'. The Auto_Open macro sheet functionality further confirms its malicious intent to spread and infect other Excel files.

Heuristics 3

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.

Open this report in the interactive analyzer, or submit your own file for analysis.