Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Excel Maldocs: Hidden Sheets

Published: 2020-03-08
Last Updated: 2020-03-08 23:01:42 UTC
by Didier Stevens (Version: 1)
8 comment(s)

Sheets in Excel workbooks can be hidden. To unhide them, right-click a sheet tab and select "Unhide":

Xavier wrote a diary entry about a malicious Excel spreadsheet with Excel 4 macros. Opening the spreadsheet inside a VM, he did not see an Excel 4 macros sheet, nor could he unhide one:

The reason is the following. When you use my tool oledump.py with plugin plugin_biff, you can see that Xavier's malicious Excel 4.0 macro sheet is "very hidden".

The byte value at position 5 in a BOUNDSHEET record defines the visibility of a sheet: visible (0x00), hidden (0x01) or very hidden (0x02).

Visible and hidden can be toggled with Excel's GUI (right-click menu), but very hidden not.

You have a couple of options to make a very hidden sheet visible:

  • Use a tool like ShowSheets
  • Change a sheet's visible property programmatically
  • Use VBE
  • Use a hex editor (in this example, search for 3A 84 01 00 02 01 0A 00 and replace 02 with 00)
  • ...

Please post a comment if you know other methods.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
8 comment(s)
Diary Archives