Excel 4.0 Macro MalSpam Campaigns-The SpiderLabs
Based on the recent blog of my colleague Rodel Mendrez, we looked at last month’s spam using Excel 4.0 macros and found some interesting examples. Both campaigns use a fake calculation theme, and both use the Excel 4.0 macro to download malicious executables.
Example 1: List of hidden Excel 4.0 macros downloaded via web request
Figure 1 : Trustwave Security Email Gateway (SEG), which displays the first spam in Excel 4.0.
In the first spam campaign is an archive with a fake account new_Invoice 0962.xls. Since the fake invoice is an Excel file that follows the Composite Binary File Format (CFBF), we can unpack its threads with 7Zip to get more information about the attachment static.
Figure 2 : DocumentSummaryInformation flow of the annex new_Invoice 0962.xls obtained with 7-Zip
The summary information flow in the document indicates that the attachment contains the Excel 4.0 macro. The Excel file consists of 2 sheets: Sheets 1 and 8XoaRgSmhZwAxAOJuv2a. In addition, sheet 1 contains a link to a cell or a series of cells called SzpmQrOQqq4E98Rm40RZ7.
When displaying a workbook data stream, two lines indicate a connection to an external data source – the connection line and the URL hxxps://emmnebuc[…]xyz/SDVJKBsdkhv1.
Figure 3 : Workbook procedure as shown in Figure 2
The workflow of the workbook follows the specifications of the binary file format (BIFF). Using the BiffView tool, we check the BIFF data in the annex new_Invoice 0962.xls and focus on the data related to the above observations – BOUNDSHEET and DCONN.
There are two BIFF BOUNDSHEETS in the application that contain information about the card. The first record is for Sheet 1, a visible worksheet, and the second record is for 8XoaRgSmhZwAxAOJuv2a, a hidden Excel 4.0 macro sheet.
Figure 4 : The BIFF BOUNDSHEET records the new_invoice 0962.xls
The BIFF DCONN input stores information about the connections for data transmission. The file new_Invoice 0962.xls has a DCONN number and indicates that Excel will execute the web query as Connection and the corresponding Excel object – Sheet1!SzpmQrOQqq4E98Rm40RZ7.
Figure 5 : BIFF DCONN input Excel input attachments
Thanks to the features of new_invoice 0962.xls we can now study more information about the connectivity of macros and data in Microsoft Excel.
Figure 6 : The Show asset record1 option is activated if there is a hidden record.
The Excel Formula tab in the Name Manager of the Excel application has 5 specific names. The first 4 are specific names for the cells of the hidden leaf 8XoaRgSmhZwAxAOJuv2a. The first specific name Auto_Open is used as autostart for the formulas in the macro list. The fifth name refers to the cell area on Sheet 1 and is an Excel object that will be called Web Query.
Figure 7 : The Excel object connected to the data connection
Once the data connection parameter is enabled, the web request is executed immediately and its return value is set to Sheet1!$Y$100:$Y$103, the cell range to which the fifth specific name refers.
Figure 8 : The formula is loaded after activating the data link.
The formula obtained using Web Query contains macro functions from Excel 4.0 and therefore does not work in Sheet 1. When macros are enabled, they are copied and finally executed on the Excel 4.0 macro sheet.
Figure 9 : Fill Formula.fill executes the loaded formula in the list of Excel 4.0 macros.
The charged formula serves as a charger for the second step. It loads a DLL of hxxps://emmnebuc[.]xyz/SDKVJBsaduv7, saves it as an html file in a %public% directory and executes it. Since this article was written, the URL is unfortunately no longer available.
Example 2: Downloading highly hidden Excel 4.0 macro sheets
Figure 9 : SEG displays 2. fake spam on the invoice
In the meantime, an Excel file is added directly to the e-mail in the second spam example. With BiffView, we checked whether Rechnung_372571.xls contains the Excel 4.0 macro.
Figure 10 : The BIFF BOUNDHSEET entries of Rechnung_372571.xls received with BiffView.
As with the first spam sample, malicious behavior occurs when using the Excel 4.0 macro list. The list of macros has a very hidden property, so it doesn’t appear in the Fade-in dialog. To display the macro, you must change its BIFF BOUNDHSEET record – the fifth byte of the first record in Figure 10 changes from 02:00 to 00:00.
Figure 11 : The file Changed Invoice_372571.xls, which displays the name of the handler, contains only one specific name. Originally there was a very hidden macro sheet when clicking the Auto_Open link.
The list of macros contains a series of RUN functions that start with the reference cell Auto_Open and lead to the execution of the formula in sygfdesy! $CY$375. Ivoice_372571.xls downloads hxxp://paypeted[.]com/esdfrtDERGTYuicvbnTYUv/gspqm[.]exe and runs it under the name C:Intelsgift.exe.
Figure 12 : Macro execution sequence in Excel 4.0
The Excel 4.0 macros were introduced almost 28 years ago, and only a year after their introduction they were overshadowed by the VBA introduced in Excel 5.0. Recently, however, we have noticed that malware writers are making increasing use of this feature, which is still supported in Excel.
Malicious Excel 4.0 macros are more difficult to analyze and detect than VBA macros. VBA macros have their own specific threads, while Excel 4.0 macros are stored in BIFF records in the workbook thread.
Note that these threats will not work if the macros are disabled in the Trust Center settings, just like VBA macros. So if you’re not sure of the confirmation and the source, don’t activate these macros.
new_invoice 0962.xls (185344 bytes) SHA1 : 16476552B017B61C01152D624F038BBE895E52EE
Invoice_372571.xls (65024 bytes) SHA1 : 96 AE371021192490B5DA7911329ED2DBC837D