Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Maldoc: Excel 4.0 Macros - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Maldoc: Excel 4.0 Macros

I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.

Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code:

To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):

When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:

  • There's a hidden Excel 4.0 macro sheet
  • There's a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
  • There's a formula with a call to the EXEC function
  • In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

373 Posts
ISC Handler
Thank you Didier
Netmanzim

38 Posts
Site security training is down ?
Netmanzim

38 Posts
You're welcome Netmanzim.

To what site are you referring?
DidierStevens

373 Posts
ISC Handler
https://www.sans.org/account/loginsso
not able to login in, but the site is up and not down, sorry,
login scripts not working maby from my endpoint cookies
Netmanzim

38 Posts

Sign Up for Free or Log In to start participating in the conversation!