Blog

Archive for March 16th, 2019

Maldoc: Excel 4.0 Macros, (Sat, Mar 16th)

I’ve received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.

Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code:

To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):

When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:

  • There’s a hidden Excel 4.0 macro sheet
  • There’s a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
  • There’s a formula with a call to the EXEC function
  • In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →