MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as a legacy Excel 4.0 (XLM) macro virus, specifically the XL4Poppy variant, by multiple critical heuristic firings. The document body indicates the virus's intent to infect other workbooks and save them as 'Book1.xls' in the 'xlstart' directory, suggesting an attempt at persistence. The presence of markers like 'XL4Poppy', 'Normal_MacroVirus', and 'Poppy by VicodinES' further confirms its family and nature.
Heuristics 3
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Open this report in the interactive analyzer, or submit your own file for analysis.