Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

More Excel 4.0 Macro MalSpam Campaigns

In light of the recent blog by my colleague Rodel Mendrez, we looked back at previous spam encountered over the past month which leverages Excel 4.0 macros and found some interesting samples. Both campaigns are using a fake invoice theme and both utilize Excel 4.0 macro to download malicious binaries.

Sample 1: Hidden Excel 4.0 Macro Sheet Downloads Via Web Query

Email Sample 1
Figure 1: Trustwave Security Email Gateway (SEG) displaying the first Excel 4.0 spam


The attachment in the first spam campaign is an archive containing a fake invoice new_Invoice 0962.xls. As the fake invoice is an Excel file which follows the Compound File Binary Format (CFBF), we can extract its streams using 7Zip to gather more information about the attachment statically.

Extracted streams
Figure 2: The DocumentSummaryInformation stream of the attachment new_Invoice 0962.xls obtained using 7-Zip


The Document Summary Information stream indicates that the attachment contains an Excel 4.0 macro. The Excel file has 2 sheets namely Sheet1 and 8XoaRgSmhZwAxAOJuv2a. Furthermore, Sheet1 has a reference to a cell or range of cells named SzpmQrOQq4E98Rm40RZ7.

Browsing the Workbook stream, two strings signifying an external data source connection will be made by the attachment are observed – a string ‘Connection’, and a URL ‘hxxps://emmnebuc[.]xyz/SDVJKBsdkhv1’.


Workbook stream in Hiew
Figure 3: The Workbook stream shown in Figure 2


The Workbook stream follows the Binary Interchange File Format (BIFF) specifications. Using the tool BiffView, we inspect the BIFF records of the attachment new_Invoice 0962.xls and focus on the records associated with the observations made above – BOUNDSHEET and DCONN.

The attachment has two BIFF BOUNDSHEET records and they hold the sheet information. The first record is for Sheet1, a visible worksheet while the second record is for 8XoaRgSmhZwAxAOJuv2a, a hidden Excel 4.0 macro sheet.


BIFF Boundsheet record of the attachment
Figure 4: The BIFF BOUNDSHEET records of new_Invoice 0962.xls


The BIFF DCONN record stores information about data connections. The file new_Invoice 0962.xls has a DCONN record and it indicates that Excel will perform a Web Query under a connection name “Connection” and the Excel object that is associated with this is Sheet1!SzpmQrOQq4E98Rm40RZ7.


BIFF DCONN record of the attachment
Figure 5: The BIFF DCONN record of the Excel attachment


Now equipped with the characteristics of new_Invoice 0962.xls, we can now investigate, in Microsoft Excel, more details about the macro and data connection.


Attachment in MS Excel
Figure 6: The Unhide option of attachment’s Sheet1 is enabled if there is a hidden sheet


In Excel’s Formula tab under Name Manager, the Excel attachment has 5 defined names. The first 4 are defined names for cells in the hidden sheet 8XoaRgSmhZwAxAOJuv2a. The first defined name ‘Auto_Open’ serves as the autorun for the formulas contained in the macro sheet. The fifth name refers to the range of cells of Sheet1, and is the Excel object that will trigger the Web Query.


The Defined Names
Figure 7: The Excel object linked to the data connection


Once the data connection setting is enabled, the Web Query will be immediately performed and its return value will be placed at Sheet1!$Y$100:$Y$103, the range of cells referred to by the fifth defined name.


Formula downloaded by Web Query
Figure 8: Formula downloaded once data connection setting is enabled


The formula obtained through Web Query contains Excel 4.0 macro functions hence this will not work in Sheet1. If macros are enabled, they will be copied and eventually get executed in the Excel 4.0 macro sheet.


The formula on the hidden Excel 4.0 macro sheet
Figure 9: Using Formula.Fill, the downloaded formula will be executed in the Excel 4.0 macro sheet


The downloaded formula serves as the second stage downloader. It will download a DLL from hxxps://emmnebuc[.]xyz/SDKVJBsaduv7, save it as an html file in %public% folder, and execute it. Unfortunately, the URL is no longer accessible as of this writing.


Sample 2: Very Hidden Excel 4.0 Macro Sheet Downloader


Spam sample 2
Figure 9: SEG displaying the 2nd fake invoice spam


Meanwhile, with the second spam sample, the Excel file is directly attached to the email. Using BiffView, we verified that invoice_372571.xls contains an Excel 4.0 macro.


BIFF BOUNDSHEET records of the attachment
Figure 10: The BIFF BOUNDHSEET records of the attachment invoice_372571.xls obtained using BiffView


Just like the first spam sample, the malicious behavior of the attachment arises from the use of an Excel 4.0 macro sheet. The macro sheet has a ‘very hidden’ characteristic hence it will not appear on the Unhide dialog box. To view the macro, we must modify its BIFF BOUNDHSEET record – the fifth byte of the first record shown in Figure 10 will be modified from 02h to 00h.


The autorun of the macro sheet
Figure 11: The modified attachment invoice_372571.xls showing the Name Manager contains just 1 defined name. The initially ‘very hidden’ macro sheet can now be seen when the Auto_Open reference is clicked


The macro sheet contains a series of RUN functions starting from the Auto_Open reference cell and this will lead to the execution of the formula in sygfdfdfdesie!$CY$375. The attachment invoice_372571.xls will download hxxp://paypeted[.]com/esdfrtDERGTYuicvbnTYUv/gspqm[.]exe and execute it as C:\Intels\gift.exe.


Excel 4.0 macro leads to a binary
Figure 12: The Excel 4.0 macro execution flow



Excel 4.0 macros were introduced almost 28 years ago and just a year after its launch, it was overshadowed by VBA which arrived in Excel 5.0. However recently, we have noticed that malware authors increasingly utilize this still supported functionality in Excel.

Malicious Excel 4.0 macros are more challenging to analyze and detect compared to VBA macro. VBA macros have their own dedicated streams whereas Excel 4.0 macro functions are stored in BIFF records in the Workbook stream.

Note, these threats will not work when macros are disabled in the Trust Center settings, just like VBA macros. So unless you are sure about the attachment and its source, don’t go enabling those macros.



new_Invoice 0962.xls (185344 bytes) SHA1: 16476552B017B61C01152D624F038BBE895E52EE
invoice_372571.xls (65024 bytes) SHA1: 960B8AE371021192490B5DA7911329ED2DBC837D