|
Sheets in Excel workbooks can be hidden. To unhide them, right-click a sheet tab and select "Unhide":
Xavier wrote a diary entry about a malicious Excel spreadsheet with Excel 4 macros. Opening the spreadsheet inside a VM, he did not see an Excel 4 macros sheet, nor could he unhide one:
The reason is the following. When you use my tool oledump.py with plugin plugin_biff, you can see that Xavier's malicious Excel 4.0 macro sheet is "very hidden".
The byte value at position 5 in a BOUNDSHEET record defines the visibility of a sheet: visible (0x00), hidden (0x01) or very hidden (0x02).
Visible and hidden can be toggled with Excel's GUI (right-click menu), but very hidden not. You have a couple of options to make a very hidden sheet visible:
Please post a comment if you know other methods.
Didier Stevens |
DidierStevens 432 Posts ISC Handler |
| Reply Subscribe |
Mar 8th 2020 4 weeks ago |
|
With this “very hidden” attribute, are typical AV vendors able to still detect the malicious code?
|
Anonymous |
| Reply Quote |
Mar 8th 2020 4 weeks ago |
|
Interesting question. I would expect AVs to have no problem with this setting, but it's something I should test to be 100% sure.
|
DidierStevens 432 Posts ISC Handler |
| Reply Quote |
Mar 9th 2020 4 weeks ago |
|
The xls file can be converted into a xlsx file. Unzip it. Then, you will find the malicious code is stored in one of the XML files.
|
Anonymous |
| Reply Quote |
Mar 9th 2020 4 weeks ago |
|
In the status bar Libre Office / Open Office shows the number of sheete, including "xlVeryHidden".
With Powershell (for xlsm set the "Application.AutomationSecurity"): $Exc = new-object -ComObject Excel.Application $WB = $Exc.workbooks.open("C:\Temp\Sheets_visible.xlsx") $WB.sheets | Select-Object -Property Name, visible $WB.close() $Exc.Quit() |
Anonymous |
| Reply Quote |
Mar 9th 2020 4 weeks ago |
|
You can also set (or read) this attribute in python using openpyxl.
ws.sheet_state = 'veryHidden' You can still enumerate them from openpyxl and it will show the Very Hidden worksheet so you could script something to enumerate sheet names, read their sheet_state and then act on any returning 'veryHidden'. |
MiffJ 1 Posts |
| Reply Quote |
Mar 13th 2020 3 weeks ago |
|
Turns out the hex string to search for doesn't work for all sheets. The first two bytes can be removed. I used '01 00 02 01 0A 00' as the search for 4 new xls documents that came through and was able to change the 02 to 00 and successfully read the 'very hidden' sheet.
dsplice |
dsplice 12 Posts |
| Reply Quote |
Mar 30th 2020 1 week ago |
|
That is correct dsplice, the first 2 bytes are an offset to the sheet records themselves, and thus this will be different for every sheet.
|
DidierStevens 432 Posts ISC Handler |
| Reply Quote |
Mar 30th 2020 1 week ago |
|
I wrote a Powershell script
https://github.com/denk-core/ExcelSheetUnhide This is simple command line tool with error handling that sets the Visible property of the Excel ComObject, while using the “AutomationSecurity” property on opening. Full documentation on switches and features with usage case scenario examples is available. |
DenK 1 Posts |
| Reply Quote |
Apr 5th 2020 1 day ago |
Sign Up for Free or Log In to start participating in the conversation!
