Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Excel 4 Macros: "Abnormal Sheet Visibility"

Published: 2020-10-26
Last Updated: 2020-10-26 21:53:07 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Excel 4 macros are composed of formulas (commands) and values stored inside a sheet.

Each sheet in a spreadsheet can be "visible", "hidden" or "very hidden". Malware authors will often make Excel 4 macro sheets hidden or very hidden.

In .xls files, spreadsheet data is stored in the Workbook stream as BIFF records. There is a BIFF record for sheets: the BOUNDSHEET record. The byte value at position 5 in a BOUNDSHEET record defines the visibility of a sheet: visible (0x00), hidden (0x01) or very hidden (0x02):

Encoding the visibility of a sheet is done with the 2 least significant bits. Per Microsoft's documentation, the 6 more significant bits are unused bits and must be ignored. In spreadsheets created with Excel, these bits are set to 0.

From time to time, I find malicious Excel 4 macro documents, where these bits are not zero:

oledump's plugin_biff will report this: "reserved bits not zero".

The "visibility" value is 0x0A, that's 0x08 + 0x02: thus the sheet is very hidden (0x02).

Excel has no problem at all opening a spreadsheet like this (the unused bits must be ignored). But if you use or develop detection rules like YARA, Suricata, ... ; be aware that these unused bits can be set to 1 in stead of 0.

You might wonder: 2 bits to encode visibility. Visible (0x00), hidden (0x01) or very hidden (0x02).

What about 0x03?

When a sheet's visibility is set to 0x03 (I do this by patching the .xls with a binary editor), my tests with Excel 2016 and 2019 show that an Excel 4 macro sheet will behave as "very hidden", and the macro code will be executed.

However, before a user is prompted to enable macros, that user will have to click through extra warnings:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Video: Pascal Strings
Oct 25th 2020
2 days ago by DidierStevens (0 comments)

An Alternative to Shodan, Censys with User-Agent CensysInspect/1.1
Oct 24th 2020
2 days ago by Guy (0 comments)

Sooty: SOC Analyst's All-in-One Tool
Oct 23rd 2020
4 days ago by Russ McRee (0 comments)

BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon
Oct 22nd 2020
4 days ago by Jan (0 comments)

Shipping dangerous goods
Oct 21st 2020
5 days ago by Daniel (0 comments)

Mirai-alike Python Scanner
Oct 20th 2020
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
1 week ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
1 month ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
1 month ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
2 months ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
1 week ago by Brad (0 comments)

Open Packaging Conventions
Oct 10th 2020
2 weeks ago by DidierStevens (0 comments)

What's in Your Clipboard? Pillaging and Protecting the Clipboard
Sep 11th 2020
1 month ago by Rob VandenBrink (0 comments)

Today, Nobody is Going to Attack You.
Oct 7th 2020
2 weeks ago by Johannes (0 comments)

send lots of email to money@stifortunes.com