We're sorry Aspose doesn't work properply without JavaScript enabled.

Free Support Forum - aspose.com

File is still infected after remove macro

Aspose.Cells Product Family
#1

Hi Aspose team,

I have a xls sample that has problem. The original file may be a virus file which is detected by several engines. You can see here: here
I tried to use Aspose Cells to remove macro, but the result is still infected. The result file is : here
Here is my current code:

        using(var inStream = new FileStream(inputXlsFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
        {
            var opt = new LoadOptions
            {
                MemorySetting = MemorySetting.MemoryPreference
            };

            workbook = new Workbook(inStream, opt);
            string nameOfSheet = string.Empty;
            foreach(var wooksheet in workbook.Worksheets)
            {
                if(wooksheet.IsVisible)
                {
                    nameOfSheet = wooksheet.Name;
                    break;
                }
            }

            if(workbook.HasMacro)
            {
                workbook.RemoveMacro();
            }

            for(int i = workbook.Worksheets.Count - 1; i >= 0; i--)
            {

                switch(workbook.Worksheets[i].Type)
                {
                    case SheetType.BIFF4Macro:
                    case SheetType.VB:
                        workbook.Worksheets.Names.Remove(workbook.Worksheets[i].Name);
                        workbook.Worksheets.RemoveAt(i);
                        break;
                    default:
                        break;
                }
            }

            bool hasVisibleWorksheet = false;
            foreach(var worksheet in workbook.Worksheets)
            {
                if(worksheet.IsVisible)
                {
                    hasVisibleWorksheet = true;
                    break;
                }
            }
            if(!hasVisibleWorksheet)
                workbook.Worksheets.Add(nameOfSheet);

            workbook.RemoveUnusedStyles();
            Stream stream = workbook.SaveToStream();
            using(var cf = new OpenMcdf.CompoundFile(stream))
            {
                cf.Save(outputXlsFile);
            }
        }

Is there a way to remove the threats from this output file?
When I debug with output file, I see workbook.HasMacro = true and still have some elements in workbook.VbaProject.Modules. Maybe some macros haven’t been removed yet.
I attached sample below. Please help me investigate . Thanks!
xls_sample.zip (382.6 KB)
image.png (37.1 KB)

#2

@dunghnguyen,

I tried downloading the file but my antivirus blocked it and discarded the file. Hence could not download your file. Could you please provide clean file, so we could evaluate your issue precisely.

#3

@dunghnguyen
1, If the Workbook.VbaProject property is watched, it will create the VBA Project , so workbook.HasMacro will always be true.
2. We cannot be sure that the virus must be caused by macros. Removing the macro does not necessarily remove the virus.

#4

I zip my sample with password 123
Please re-download here xls_sample.zip (382.7 KB)
I don’t have any other sample with the same problem. Can you use a virtual machine to check the file ?
After searching, I think the virus caused by macros. You can see here, the macro excel 4.0 (Excel4.Downloader.44317) was detected by CAT-QuickHeal. More TrojanDownloader O97M threat is macro. And inquest labs confirmed this threat is macro related here.

#5

@dunghnguyen
It seems the content of the worksheet still contains virus .
Only when we remove all cells as the following codes, the file is OK.

var workbook = new Aspose.Cells.Workbook(@"C:\Users\Administrator\Downloads\xls_sample\sample.xls");
workbook.RemoveMacro();
workbook.Worksheets[0].IsVisible = true;
foreach(Worksheet worksheet in workbook.Worksheets)
{
      worksheet.PageSetup.PrinterSettings = null;
      //worksheet.Cells.RemoveFormulaValues();
      //worksheet.Cells.RemoveFormulas();
                
      worksheet.Cells.Clear();
}
#6

If remove all cells, we will lose all necessary data, so I want to keep the clean content.
Is there any way to detect cells that contain virus ?

#7

@dunghnguyen,

We are sorry but Aspose.Cells does not have any such API to detect if the file is infected with virus. Scanning or detecting viruses is a task of antivirus softwares.