Maldoc: Excel 4 Macros and VBA, Devil and Angel?

Published: 2020-02-24
Last Updated: 2020-02-24 18:44:26 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Philippe Lagadec, the developer of ole-tools, pointed out something interesting about the following maldoc sample (MD5 a0457c2728923cb46e6d9797fe7d81dd): it contains both Excel 4 macros and VBA code.

Here is the VBA code:

It's just displaying a message box about a problem, and when the user clicks the OK button, it attempts to close Excel. Nothing nefarious here.

And here are the Excel 4 macros:

Launching a PowerShell command. A downloader: that's nefarious.

This sample might well be a PoC, but it's great to illustrate that both scripting technologies (ancient Excel 4 macros and old VBA) can coexist in the same document.

When you analyze potential malicious Excel files, it's best to check both for the presence of Excel 4 macros and VBA code.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: excel4 macros maldoc vba
0 comment(s)
ISC Stormcast For Monday, February 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6880

Comments


Diary Archives