Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

More Excel 4.0 Macro MalSpam Campaigns

In light of the recent blog by my colleague Rodel Mendrez, we looked back at previous spam encountered over the past month which leverages Excel 4.0 macros and found some interesting samples. Both campaigns are using a fake invoice theme and both utilize Excel 4.0 macro to download malicious binaries.

Sample 1: Hidden Excel 4.0 Macro Sheet Downloads Via Web Query

Email Sample 1
Figure 1: Trustwave Security Email Gateway (SEG) displaying the first Excel 4.0 spam


The attachment in the first spam campaign is an archive containing a fake invoice new_Invoice 0962.xls. As the fake invoice is an Excel file which follows the Compound File Binary Format (CFBF), we can extract its streams using 7Zip to gather more information about the attachment statically.

Extracted streams
Figure 2: The DocumentSummaryInformation stream of the attachment new_Invoice 0962.xls obtained using 7-Zip


The Document Summary Information stream indicates that the attachment contains an Excel 4.0 macro. The Excel file has 2 sheets namely Sheet1 and 8XoaRgSmhZwAxAOJuv2a. Furthermore, Sheet1 has a reference to a cell or range of cells named SzpmQrOQq4E98Rm40RZ7.

Browsing the Workbook stream, two strings signifying an external data source connection will be made by the attachment are observed – a string ‘Connection’, and a URL ‘hxxps://emmnebuc[.]xyz/SDVJKBsdkhv1’.


Workbook stream in Hiew
Figure 3: The Workbook stream shown in Figure 2


The Workbook stream follows the Binary Interchange File Format (BIFF) specifications. Using the tool BiffView, we inspect the BIFF records of the attachment new_Invoice 0962.xls and focus on the records associated with the observations made above – BOUNDSHEET and DCONN.

The attachment has two BIFF BOUNDSHEET records and they hold the sheet information. The first record is for Sheet1, a visible worksheet while the second record is for 8XoaRgSmhZwAxAOJuv2a, a hidden Excel 4.0 macro sheet.


BIFF Boundsheet record of the attachment
Figure 4: The BIFF BOUNDSHEET records of new_Invoice 0962.xls


The BIFF DCONN record stores information about data connections. The file new_Invoice 0962.xls has a DCONN record and it indicates that Excel will perform a Web Query under a connection name “Connection” and the Excel object that is associated with this is Sheet1!SzpmQrOQq4E98Rm40RZ7.


BIFF DCONN record of the attachment
Figure 5: The BIFF DCONN record of the Excel attachment


Now equipped with the characteristics of new_Invoice 0962.xls, we can now investigate, in Microsoft Excel, more details about the macro and data connection.


Attachment in MS Excel
Figure 6: The Unhide option of attachment’s Sheet1 is enabled if there is a hidden sheet


In Excel’s Formula tab under Name Manager, the Excel attachment has 5 defined names. The first 4 are defined names for cells in the hidden sheet 8XoaRgSmhZwAxAOJuv2a. The first defined name ‘Auto_Open’ serves as the autorun for the formulas contained in the macro sheet. The fifth name refers to the range of cells of Sheet1, and is the Excel object that will trigger the Web Query.


The Defined Names
Figure 7: The Excel object linked to the data connection


Once the data connection setting is enabled, the Web Query will be immediately performed and its return value will be placed at Sheet1!$Y$100:$Y$103, the range of cells referred to by the fifth defined name.


Formula downloaded by Web Query
Figure 8: Formula downloaded once data connection setting is enabled


The formula obtained through Web Query contains Excel 4.0 macro functions hence this will not work in Sheet1. If macros are enabled, they will be copied and eventually get executed in the Excel 4.0 macro sheet.


The formula on the hidden Excel 4.0 macro sheet
Figure 9: Using Formula.Fill, the downloaded formula will be executed in the Excel 4.0 macro sheet


The downloaded formula serves as the second stage downloader. It will download a DLL from hxxps://emmnebuc[.]xyz/SDKVJBsaduv7, save it as an html file in %public% folder, and execute it. Unfortunately, the URL is no longer accessible as of this writing.


Sample 2: Very Hidden Excel 4.0 Macro Sheet Downloader


Spam sample 2
Figure 9: SEG displaying the 2nd fake invoice spam


Meanwhile, with the second spam sample, the Excel file is directly attached to the email. Using BiffView, we verified that invoice_372571.xls contains an Excel 4.0 macro.


BIFF BOUNDSHEET records of the attachment
Figure 10: The BIFF BOUNDHSEET records of the attachment invoice_372571.xls obtained using BiffView


Just like the first spam sample, the malicious behavior of the attachment arises from the use of an Excel 4.0 macro sheet. The macro sheet has a ‘very hidden’ characteristic hence it will not appear on the Unhide dialog box. To view the macro, we must modify its BIFF BOUNDHSEET record – the fifth byte of the first record shown in Figure 10 will be modified from 02h to 00h.


The autorun of the macro sheet
Figure 11: The modified attachment invoice_372571.xls showing the Name Manager contains just 1 defined name. The initially ‘very hidden’ macro sheet can now be seen when the Auto_Open reference is clicked


The macro sheet contains a series of RUN functions starting from the Auto_Open reference cell and this will lead to the execution of the formula in sygfdfdfdesie!$CY$375. The attachment invoice_372571.xls will download hxxp://paypeted[.]com/esdfrtDERGTYuicvbnTYUv/gspqm[.]exe and execute it as C:\Intels\gift.exe.


Excel 4.0 macro leads to a binary
Figure 12: The Excel 4.0 macro execution flow



Excel 4.0 macros were introduced almost 28 years ago and just a year after its launch, it was overshadowed by VBA which arrived in Excel 5.0. However recently, we have noticed that malware authors increasingly utilize this still supported functionality in Excel.

Malicious Excel 4.0 macros are more challenging to analyze and detect compared to VBA macro. VBA macros have their own dedicated streams whereas Excel 4.0 macro functions are stored in BIFF records in the Workbook stream.

Note, these threats will not work when macros are disabled in the Trust Center settings, just like VBA macros. So unless you are sure about the attachment and its source, don’t go enabling those macros.



new_Invoice 0962.xls (185344 bytes) SHA1: 16476552B017B61C01152D624F038BBE895E52EE
invoice_372571.xls (65024 bytes) SHA1: 960B8AE371021192490B5DA7911329ED2DBC837D

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More