XLM/Poppy Office (OLE) malware analysis — malicious · c1c8b4197d00eaee

MALICIOUS

Office (OLE)

368.0 KB Created: 2003-04-25 08:18:33 Authoring application: Microsoft Excel First seen: 2015-10-04

MD5: db3eed7622c90aa212fb962522eb4350 SHA-1: eaff4ae211bb20ab0d13d9006c6e5c901f2f2ed8 SHA-256: c1c8b4197d00eaee0f92b9ca4cb2ff7a2810a46bfcee527c117fc6c4ae7e6562

80 Risk Score

Malware Insights

XLM/Poppy · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing indicates the presence of a legacy Excel Formula Macro Virus (XF.Classic), specifically identified as 'Poppy by VicodinES' and associated with 'The Narkotic Network'. The embedded script details indicate it attempts to infect a new workbook, save it as Book1.xls, and likely download a second-stage payload. This suggests a macro-based attack vector, likely delivered via spearphishing.

Heuristics 2

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.