How to remove vba macros from excel before uploading to enterprise security-scanned systems
- Step 1Locate the .xlsm before uploading — Find or save the macro-enabled file to disk. Do not double-click to open it if its origin is uncertain — drop it straight into the tool instead.
- Step 2Open the stripper on a Developer-tier account — Go to /excel-tools/excel-vba-macro-stripper. Lower tiers are blocked with
VBA Macro Stripper requires Developer tier.; Developer also unlocks the 500 MB size limit for large workbooks. - Step 3Drop in the file — Drag the
.xlsminto the tool (picker shows.xlsx, .xls, .ods). One file per run — for several uploads, sanitise them one at a time. - Step 4Run the strip — Click run. JSZip removes
vbaProject.bin,vbaData.xml, andxl/macrosheets/, then repacks the rest — no macro code is executed during the operation. - Step 5Capture the evidence — The panel reports
N macro file(s) removedand lists each removed path. Keep this for your change/security ticket as proof the file was sanitised. - Step 6Upload the .xlsx — Download
<file>-no-macros.xlsxand upload that to SharePoint, Teams, or the share. With no macro extension and novbaProject.bin, it clears DLP and antivirus checks.
What the stripper removes vs preserves
The tool opens the workbook as an OOXML ZIP with JSZip and deletes only macro-bearing parts by path match. Every other part is repacked byte-for-byte. Path matching is case-insensitive substring matching.
| Container part | Action | Why |
|---|---|---|
xl/vbaProject.bin | Removed | The compiled VBA project — every Sub, Function, UserForm, and class module lives here. Deleting it removes all VBA code. |
xl/vbaProjectSignature.bin / *vbaData.xml | Removed | Digital-signature stub and the VBA data manifest. Any path containing vbadata.xml is dropped so no orphaned macro metadata remains. |
xl/macrosheets/… | Removed | Excel 4.0 / XLM macro sheets. The stripper deletes this folder, so legacy XLM auto-open macros are removed alongside VBA — not just VBA. |
xl/_rels/workbook.xml.rels | Edited | The <Relationship … vbaProject …> entry is stripped so the workbook does not reference the now-deleted binary. |
xl/printerSettings/printerSettings*.bin | Preserved | Binary print settings are explicitly kept — only macro binaries are targeted, not every .bin. |
Worksheet XML, sharedStrings.xml, styles, charts, pivots | Preserved | All data, formulas, formatting, charts, and pivot tables are repacked unchanged. The output is a faithful copy minus the code. |
docProps/core.xml / docProps/app.xml | Preserved | Author, company, and revision metadata are untouched. Use the Core/App metadata wipers if you also need those gone. |
Tier access and file-size limits
The VBA Macro Stripper is gated to Developer tier and above (it throws VBA Macro Stripper requires Developer tier. on lower tiers). One file per run — there is no batch queue. Row limits do not apply: this is a binary ZIP operation, so reported input/output rows are always 0.
| Tier | Can run this tool? | Max file size | Files per run |
|---|---|---|---|
| Free | No — blocked | 5 MB (family cap) | 1 |
| Pro | No — blocked | 50 MB (family cap) | 1 |
| Pro-media | No — blocked | 200 MB (family cap) | 1 |
| Developer | Yes | 500 MB | 1 |
| Enterprise | Yes | 2 GB (streaming) | 1 |
Input formats — what actually unzips
The tool registers xlsx as its accepted format, so the file picker offers .xlsx, .xls, .ods. Under the hood it requires a valid OOXML ZIP. Pick the matching row before you upload — a file that is not a ZIP cannot be processed.
| File you have | ZIP-based? | Result |
|---|---|---|
.xlsm (macro-enabled workbook) | Yes | Primary use case. vbaProject.bin and xl/macrosheets/ are removed; you get a clean .xlsx. |
.xlsx that secretly carries a VBA project | Yes | Rare but real — a workbook renamed to .xlsx can still contain vbaProject.bin. The stripper finds and removes it. |
.xlam (macro-enabled add-in) | Yes | Same OOXML+VBA layout, so the macro binary is removed. Output is repacked as .xlsx. |
.xltm (macro-enabled template) | Yes | Unzips and strips like .xlsm. The template's cell content survives; its VBA does not. |
.xls (legacy BIFF8 binary) | No | Not a ZIP — JSZip.loadAsync throws. Re-save as .xlsm/.xlsx in Excel first, then strip. |
.ods (OpenDocument) | Yes (ZIP) | Unzips, but ODF stores macros under Basic/, not vbaProject.bin — nothing matches, so no macros are removed. |
Cookbook
Pre-upload sanitisation flows for security-scanned enterprise systems. File names and data are anonymised; the tool behaviour is exact.
Sanitise a third-party .xlsm before a SharePoint upload
A vendor sent a macro-enabled workbook the DLP gateway would quarantine. Strip it to .xlsx first.
Input: Vendor-Pricing.xlsm (xl/vbaProject.bin) Result panel: 1 macro file(s) removed. Upload Vendor-Pricing-no-macros.xlsx to SharePoint -> passes DLP / AV scan, no quarantine
File DLP already flagged for an XLM macro
The gateway flagged an Excel 4.0 macro, not VBA. The stripper removes XLM sheets too, so the re-upload clears.
Flagged input: Report.xlsm xl/macrosheets/sheet1.xml <- XLM (the flag) Result panel: 1 macro file(s) removed. Upload Report-no-macros.xlsx -> clears the gateway
Large legacy workbook on Developer tier
A 320 MB consolidated file. Developer's 500 MB limit handles it; lower tiers cannot run the tool at all.
Input: Consolidation.xlsm (320 MB) Tier: Developer (500 MB) -> OK Result panel: 1 macro file(s) removed. Output: Consolidation-no-macros.xlsx
Attach the strip evidence to a change ticket
Security review wants proof the macro was removed before the file entered the system.
Ticket evidence: source: Vendor-Pricing.xlsm removed: 1 parts: xl/vbaProject.bin output: Vendor-Pricing-no-macros.xlsx method: browser-local JSZip, no execution
Strip macros, then audit external links before upload
DLP also cares about exfiltration links a macro might have used. Strip first, then audit the remaining links.
Step 1 VBA Macro Stripper: inbound.xlsm -> inbound-no-macros.xlsx Step 2 External Link Auditor (/excel-tools/excel-external-link-auditor): lists every external reference for review
Edge cases and what actually happens
Gateway flagged the file for an XLM macro, not VBA
RemovedSome DLP rules trigger on Excel 4.0 macros under xl/macrosheets/, which a VBA-only remover would leave behind. This tool deletes that folder too, so the re-upload should clear the same rule that flagged the original.
Password-encrypted workbook uploaded
Fails — encryptedExcel encryption wraps the OOXML package in an OLE/CFB container, so JSZip cannot read it as a ZIP and loading fails. Decrypt in Excel (File, Info, Protect Workbook, remove the password) first, then strip the macros from the decrypted copy.
Legacy `.xls` (BIFF8 binary) uploaded
Fails — not a ZIPA true legacy .xls is a compound binary file, not a ZIP, so JSZip.loadAsync throws and no output is produced. Open it in Excel and Save As .xlsm (or .xlsx) first to convert it to the OOXML ZIP format, then run the stripper.
`.xlsx` that secretly contains a VBA project
RemovedA workbook renamed from .xlsm to .xlsx can still carry vbaProject.bin inside the ZIP — and Excel will still run it. The stripper matches by ZIP path, not extension, so it finds and removes the binary regardless of the file's name.
DLP still quarantines after stripping
Other content flaggedRemoving macros only addresses the macro rule. If DLP still holds the file, it is likely flagging something else — PII patterns, external links, or embedded objects. Audit links with the External Link Auditor and check for sensitive data; the macro strip is not a blanket DLP bypass.
`printerSettings.bin` in the package
PreservedThe filter targets only macro binaries (vbaproject.bin, vbadata.xml, xl/macrosheets/). Other .bin parts such as printerSettings1.bin are left in place, so your page setup survives the strip.
File had no macros at all
ExpectedNothing matches the macro filter, so the result reports 0 macro file(s) removed and you still receive a repacked .xlsx. It is a clean no-op, not a failure — handy as a confidence check that a file is already macro-free.
`docProps/app.xml` still lists the original editing app
By designThe stripper only removes macro parts; document metadata is preserved. If the editing-app fingerprint or author also needs to go, chain the App Metadata Wiper or the Core Metadata Wiper after stripping.
Run attempted on Free, Pro, or Pro-media tier
403 tier blockedThe processor checks the tier first and throws VBA Macro Stripper requires Developer tier. before any unzip happens. Upgrade to Developer or Enterprise to run it.
Policy requires server-side scanning, not client tools
Process checkStripping in the browser produces a clean file, but it does not replace your organisation's required scanning. Treat the stripper as preparation so the file passes the gate, not as a substitute for the gateway itself.
Frequently asked questions
Why do DLP and antivirus systems flag .xlsm files?
Macro-enabled extensions are a known malware delivery vector, so many gateways quarantine .xlsm by default. Removing the macro parts and producing a .xlsx means the gateway no longer sees a macro-bearing file.
Will the stripped file pass scanning?
It removes the macro content that triggers macro-specific rules, so it should clear those checks. If the gateway flags other content — PII, external links, embedded objects — that is a separate rule the macro strip does not address.
Does it remove Excel 4.0 (XLM) macros too?
Yes. XLM macro sheets live under xl/macrosheets/, not in vbaProject.bin, and the stripper deletes that folder. Many tools that only target VBA leave XLM behind — this one removes both.
Does the macro code ever run while it is being removed?
No. The tool opens the workbook with JSZip and treats vbaProject.bin as opaque binary to delete. It is never loaded into a VBA host or interpreted, so an auto-open or Workbook_Open payload cannot fire during processing.
Is the file uploaded anywhere?
No. Processing happens entirely in your browser tab. The bytes are read locally, unzipped in memory, repacked, and offered as a download. Nothing is sent to a server.
Can I attach proof that the macro was removed?
Yes. The result reports N macro file(s) removed and lists each removed path. Capture that for your change or security ticket as evidence the file was sanitised before upload.
Will my formulas, charts, and formatting survive?
Yes. Cell values, formulas, data validation, named ranges, conditional formatting, charts, and pivot tables are all repacked unchanged. Only the macro parts are dropped.
What is the file-size limit?
Developer tier allows up to 500 MB per file; Enterprise allows up to 2 GB. There is no row limit because this is a binary ZIP operation, not a row-by-row transform.
Can I strip several workbooks at once?
Not in one click — the tool processes one file per run (the upload control is single-file). Run them sequentially, or script your own JSZip loop if you need true batch.
What tier do I need?
Developer tier or higher. Free, Pro, and Pro-media accounts can see the tool but are blocked at run time with VBA Macro Stripper requires Developer tier.
Why does the output extension change to .xlsx?
The .xlsm extension is Excel's promise that the file may contain macros. Once the macro parts are gone, the honest extension is .xlsx. The tool names the result <original>-no-macros.xlsx.
Does this replace our enterprise scanning gateway?
No. It is preparation so a legitimate workbook clears the gate without a false-positive quarantine. Your organisation's required scanning still runs — the stripper just removes the macro content that would otherwise trip it.
Privacy first
Every JAD Excel tool runs entirely in your browser using SheetJS and ExcelJS. Your spreadsheets, formulas, and data never leave your device — verified by zero outbound network requests during processing.