I’ve received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.
Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code:
To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):
When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:
- There’s a hidden Excel 4.0 macro sheet
- There’s a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
- There’s a formula with a call to the EXEC function
- In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.