Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Obfuscated Excel 4 Macros

Published: 2020-03-29
Last Updated: 2020-03-29 14:53:19 UTC
by Didier Stevens (Version: 1)
1 comment(s)

2 readers (anonymous and Robert) submitted very similar malicious spreadsheets with almost no detections on VT: c1394e8743f0d8e59a4c7123e6cd5298 and a03ae50077bf6fad3b562241444481c1.

These files contain Excel 4 macros (checking with oledump.py here):

There are a lot of cells in this spreadsheet with a call to the CHAR function:

These CHAR formulas evaluate to ASCII characters, that are then concatenated together and evaluated as formulas:

I can extract the integer argument of each CHAR function like this with my tool re-search.py:

That can then be converted to characters using my tool numbers-to-string.py:

The string above is build-up of all the cells with function CHAR in the spreadsheet. That's why the produced string looks promising, but the characters don't seem to be in the right order.

Selecting characters on the same row doesn't help:

But selecting by column does reveal the formulas:

Analyzing obfuscated Excel 4 macros with a command-line tool like this can be difficult, and it can be easier to view the Excel 4 macro sheet inside a VM (this sheet was very hidden):

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: excel4 macros maldoc
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Covid19 Domain Classifier
Mar 28th 2020
1 day ago by DidierStevens (0 comments)

Malicious JavaScript Dropping Payload in the Registry
Mar 27th 2020
2 days ago by Xme (0 comments)

Very Large Sample as Evasion Technique?
Mar 26th 2020
3 days ago by Xme (0 comments)

Recent Dridex activity
Mar 25th 2020
4 days ago by Brad (0 comments)

Another Critical COVID-19 Shortage: Digital Security
Mar 24th 2020
5 days ago by Russ McRee (0 comments)

Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
Mar 24th 2020
5 days ago by DidierStevens (0 comments)

KPOT Deployed via AutoIt Script
Mar 23rd 2020
6 days ago by DidierStevens (0 comments)

More COVID-19 Themed Malware
Mar 22nd 2020
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

testgvbgjbhjb.com
created Mar 10th 2020
2 weeks ago by Bill (18 replies)

DShield analysis
created Mar 1st 2020
4 weeks ago by Anonymous (0 replies)

Setting up a security champions network.
created Feb 24th 2020
1 month ago by Anonymous (0 replies)

Wireshark - To analyze "TCP sequence numbers" or not to analyze.
created Feb 15th 2020
1 month ago by Anonymous (0 replies)

TikTok app possibly using DNS over HTTPS directly
created Feb 15th 2020
1 month ago by jauntysankey (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
9 months ago by Brad (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
9 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Verifying Running Processes against VirusTotal - Domain-Wide
Jun 28th 2019
9 months ago by Rob VandenBrink (0 comments)