Archive for February 23rd, 2020

Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd)

I’ve mentioned Excel 4 macros before, a scripting technology that predates VBA.

In that diary entry, I handle .xls files (ole files). Excel 4 macros can also be stored in Office Open XML format files: .xlsm files.

If we take a look at an .xlsm file with Excel 4 macros with, we’ll get this output:

There is no ole file (vbaProject.bin) file inside an Excel 4 macro-only file.

We need to take a look with

The presence of folder macrosheets tells us that there are Excel 4 mcaro sheets inside this file.

We can look at the content of the XML file:

And pretty-print it with

Now it’s easier to spot the formulas: EXEC(“calc.exe”) and HALT()

And the Auto_Open can be found in the worksheet XML file:

It’s possible to have both macro types inside the same file: Excel 4 and VBA macros. I’ll cover that in an upcoming diary entry.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →