Poppy — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 bf1fa1284d3c9761…

MALICIOUS

Office (OLE) / .XLS

589.5 KB Created: 2010-07-02 07:25:12
MD5: 2303a9901ddd524ba10f67f9f4e4a8fa SHA-1: 159380341352c4e2526eaf3551555321c8a7f356 SHA-256: bf1fa1284d3c9761e97ae7894f3a73b67a237334248dfc1a05dcbf6ca3d20db1
120 Risk Score

Malware Insights

Poppy · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is identified as a legacy Excel formula macro virus, specifically the 'Poppy' variant. The presence of an Auto_Open macro indicates that the malicious code executes automatically upon opening the document. The heuristic firings and embedded markers strongly suggest the intent is to infect other Excel workbooks.

Heuristics 3

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
881c6907ba4d39427859e0350520ff511c5376e6dd203360f63e86f3236ba27a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.