Maldoc: Excel 4.0 Macros - SANS Internet Storm Center

Maldoc: Excel 4.0 Macros
I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd. Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code: To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros): When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above: There's a hidden Excel 4.0 macro sheet There's a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings) There's a formula with a call to the EXEC function In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com	DidierStevens 638 Posts ISC Handler Mar 16th 2019
Thread locked Subscribe	Mar 16th 2019 3 years ago
Thank you Didier	Netmanzim 69 Posts
Quote	Mar 17th 2019 3 years ago
Site security training is down ?	Netmanzim 69 Posts
Quote	Mar 17th 2019 3 years ago
You're welcome Netmanzim. To what site are you referring?	DidierStevens 638 Posts ISC Handler
Quote	Mar 17th 2019 3 years ago
https://www.sans.org/account/loginsso not able to login in, but the site is up and not down, sorry, login scripts not working maby from my endpoint cookies	Netmanzim 69 Posts
Quote	Mar 17th 2019 3 years ago