Threat description




Pinkpick is an Excel macro virus.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


X97M/Pinkpick.A is an Excel macro virus that activates on opening. During that time it executes a subroutine "pink" that is the main part of the virus.

Pinkpick.A drops its code in Excel's startup directory in a file B00k1.xls. If a workbook contains one sheet only, the virus does not infect it.

While infecting different workbooks, Pinkpick uses different module names. The first letter of the module name it takes from the first letter of the workbook that it infected. If the first character is not a letter then it uses 'N'. The second letter in the module's name is always 'V'. The virus uses this to recognize itself. If the name of the workbook starts with "Book", then the virus saves it.

The payload is to set a random password when the sum of the day and the month is 13 or 22, also if the month is June and the day is 15. At that time is also changes the cell format, column with, row height and zoom to 25.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info