Maldoc: Excel 4.0 Macros

Published: 2019-03-16
Last Updated: 2019-03-16 22:50:07 UTC
by Didier Stevens (Version: 1)
4 comment(s)

I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.

Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code:

To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):

When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:

  • There's a hidden Excel 4.0 macro sheet
  • There's a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
  • There's a formula with a call to the EXEC function
  • In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

4 comment(s)

Comments

Thank you Didier
Site security training is down ?
You're welcome Netmanzim.

To what site are you referring?
https://www.sans.org/account/loginsso
not able to login in, but the site is up and not down, sorry,
login scripts not working maby from my endpoint cookies

Diary Archives