Archive for March 8th, 2020

Excel Maldocs: Hidden Sheets, (Sun, Mar 8th)

Sheets in Excel workbooks can be hidden. To unhide them, right-click a sheet tab and select “Unhide”:

Xavier wrote a diary entry about a malicious Excel spreadsheet with Excel 4 macros. Opening the spreadsheet inside a VM, he did not see an Excel 4 macros sheet, nor could he unhide one:

The reason is the following. When you use my tool with plugin plugin_biff, you can see that Xavier’s malicious Excel 4.0 macro sheet is “very hidden”.

The byte value at position 5 in a BOUNDSHEET record defines the visibility of a sheet: visible (0x00), hidden (0x01) or very hidden (0x02).

Visible and hidden can be toggled with Excel’s GUI (right-click menu), but very hidden not.

You have a couple of options to make a very hidden sheet visible:

  • Use a tool like ShowSheets
  • Change a sheet’s visible property programmatically
  • Use VBE
  • Use a hex editor (in this example, search for 3A 84 01 00 02 01 0A 00 and replace 02 with 00)

Please post a comment if you know other methods.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →