MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1546.001 Event Triggered Execution: Known Run Key
The file is identified as a legacy Excel 4.0 (XLM) macro virus, specifically the XL4Poppy variant. Heuristics indicate it contains macro sheet markers associated with known legacy Excel macro viruses like Poppy and Narkotic Network. The embedded text explicitly mentions 'Infect Workbook' and 'Save It As Book1.xls', suggesting a primary function of spreading to other Excel files via the xlstart directory.
Heuristics 3
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUSWorkbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Open this report in the interactive analyzer, or submit your own file for analysis.