I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd. Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code: To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros): When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:
Didier Stevens |
DidierStevens 638 Posts ISC Handler Mar 16th 2019 |
Thread locked Subscribe |
Mar 16th 2019 3 years ago |
Thank you Didier
|
Netmanzim 69 Posts |
Quote |
Mar 17th 2019 3 years ago |
Site security training is down ?
|
Netmanzim 69 Posts |
Quote |
Mar 17th 2019 3 years ago |
You're welcome Netmanzim.
To what site are you referring? |
DidierStevens 638 Posts ISC Handler |
Quote |
Mar 17th 2019 3 years ago |
https://www.sans.org/account/loginsso
not able to login in, but the site is up and not down, sorry, login scripts not working maby from my endpoint cookies |
Netmanzim 69 Posts |
Quote |
Mar 17th 2019 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!