Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

More Excel 4.0 Macro MalSpam Campaigns

In light of the recent blog by my colleague Rodel Mendrez, we looked back at previous spam encountered over the past month which leverages Excel 4.0 macros and found some interesting samples. Both campaigns are using a fake invoice theme and both utilize Excel 4.0 macro to download malicious binaries.

Sample 1: Hidden Excel 4.0 Macro Sheet Downloads Via Web Query

Email Sample 1
Figure 1: Trustwave Security Email Gateway (SEG) displaying the first Excel 4.0 spam

 

The attachment in the first spam campaign is an archive containing a fake invoice new_Invoice 0962.xls. As the fake invoice is an Excel file which follows the Compound File Binary Format (CFBF), we can extract its streams using 7Zip to gather more information about the attachment statically.

Extracted streams
Figure 2: The DocumentSummaryInformation stream of the attachment new_Invoice 0962.xls obtained using 7-Zip

 

The Document Summary Information stream indicates that the attachment contains an Excel 4.0 macro. The Excel file has 2 sheets namely Sheet1 and 8XoaRgSmhZwAxAOJuv2a. Furthermore, Sheet1 has a reference to a cell or range of cells named SzpmQrOQq4E98Rm40RZ7.

Browsing the Workbook stream, two strings signifying an external data source connection will be made by the attachment are observed – a string ‘Connection’, and a URL ‘hxxps://emmnebuc[.]xyz/SDVJKBsdkhv1’.

 

Workbook stream in Hiew
Figure 3: The Workbook stream shown in Figure 2

 

The Workbook stream follows the Binary Interchange File Format (BIFF) specifications. Using the tool BiffView, we inspect the BIFF records of the attachment new_Invoice 0962.xls and focus on the records associated with the observations made above – BOUNDSHEET and DCONN.

The attachment has two BIFF BOUNDSHEET records and they hold the sheet information. The first record is for Sheet1, a visible worksheet while the second record is for 8XoaRgSmhZwAxAOJuv2a, a hidden Excel 4.0 macro sheet.

 

BIFF Boundsheet record of the attachment
Figure 4: The BIFF BOUNDSHEET records of new_Invoice 0962.xls

 

The BIFF DCONN record stores information about data connections. The file new_Invoice 0962.xls has a DCONN record and it indicates that Excel will perform a Web Query under a connection name “Connection” and the Excel object that is associated with this is Sheet1!SzpmQrOQq4E98Rm40RZ7.

 

BIFF DCONN record of the attachment
Figure 5: The BIFF DCONN record of the Excel attachment

 

Now equipped with the characteristics of new_Invoice 0962.xls, we can now investigate, in Microsoft Excel, more details about the macro and data connection.

 

Attachment in MS Excel
Figure 6: The Unhide option of attachment’s Sheet1 is enabled if there is a hidden sheet

 

In Excel’s Formula tab under Name Manager, the Excel attachment has 5 defined names. The first 4 are defined names for cells in the hidden sheet 8XoaRgSmhZwAxAOJuv2a. The first defined name ‘Auto_Open’ serves as the autorun for the formulas contained in the macro sheet. The fifth name refers to the range of cells of Sheet1, and is the Excel object that will trigger the Web Query.

 

The Defined Names
Figure 7: The Excel object linked to the data connection

 

Once the data connection setting is enabled, the Web Query will be immediately performed and its return value will be placed at Sheet1!$Y$100:$Y$103, the range of cells referred to by the fifth defined name.

 

Formula downloaded by Web Query
Figure 8: Formula downloaded once data connection setting is enabled

 

The formula obtained through Web Query contains Excel 4.0 macro functions hence this will not work in Sheet1. If macros are enabled, they will be copied and eventually get executed in the Excel 4.0 macro sheet.

 

The formula on the hidden Excel 4.0 macro sheet
Figure 9: Using Formula.Fill, the downloaded formula will be executed in the Excel 4.0 macro sheet

 

The downloaded formula serves as the second stage downloader. It will download a DLL from hxxps://emmnebuc[.]xyz/SDKVJBsaduv7, save it as an html file in %public% folder, and execute it. Unfortunately, the URL is no longer accessible as of this writing.

 

Sample 2: Very Hidden Excel 4.0 Macro Sheet Downloader

 

Spam sample 2
Figure 9: SEG displaying the 2nd fake invoice spam

 

Meanwhile, with the second spam sample, the Excel file is directly attached to the email. Using BiffView, we verified that invoice_372571.xls contains an Excel 4.0 macro.

 

BIFF BOUNDSHEET records of the attachment
Figure 10: The BIFF BOUNDHSEET records of the attachment invoice_372571.xls obtained using BiffView

 

Just like the first spam sample, the malicious behavior of the attachment arises from the use of an Excel 4.0 macro sheet. The macro sheet has a ‘very hidden’ characteristic hence it will not appear on the Unhide dialog box. To view the macro, we must modify its BIFF BOUNDHSEET record – the fifth byte of the first record shown in Figure 10 will be modified from 02h to 00h.

 

The autorun of the macro sheet
Figure 11: The modified attachment invoice_372571.xls showing the Name Manager contains just 1 defined name. The initially ‘very hidden’ macro sheet can now be seen when the Auto_Open reference is clicked

 

The macro sheet contains a series of RUN functions starting from the Auto_Open reference cell and this will lead to the execution of the formula in sygfdfdfdesie!$CY$375. The attachment invoice_372571.xls will download hxxp://paypeted[.]com/esdfrtDERGTYuicvbnTYUv/gspqm[.]exe and execute it as C:\Intels\gift.exe.

 

Excel 4.0 macro leads to a binary
Figure 12: The Excel 4.0 macro execution flow

 

Conclusion

Excel 4.0 macros were introduced almost 28 years ago and just a year after its launch, it was overshadowed by VBA which arrived in Excel 5.0. However recently, we have noticed that malware authors increasingly utilize this still supported functionality in Excel.

Malicious Excel 4.0 macros are more challenging to analyze and detect compared to VBA macro. VBA macros have their own dedicated streams whereas Excel 4.0 macro functions are stored in BIFF records in the Workbook stream.

Note, these threats will not work when macros are disabled in the Trust Center settings, just like VBA macros. So unless you are sure about the attachment and its source, don’t go enabling those macros.

 

IOC

new_Invoice 0962.xls (185344 bytes) SHA1: 16476552B017B61C01152D624F038BBE895E52EE
invoice_372571.xls (65024 bytes) SHA1: 960B8AE371021192490B5DA7911329ED2DBC837D

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More