Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Maldoc XLS Invoice with Excel 4 Macros - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Maldoc XLS Invoice with Excel 4 Macros

This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to [1][2].

Using Didier's tool, I checked the spreadsheet using plugin plugin_biff with option -x which show Excel 4 macros:

Next step will be to check for any embeded URL in this XLS document. I'm using plugin_biff's find option -f to see if any URL are embedded in this file:

Unfortunately the embedded URL http[:]]//fikima[.]com/axel[.]exe was taken down soon after receiving this email [3]. I checked Virustotal hash database [4] and there are no record this file was submitted before the domain was taken down. As a final step, I scanned the file with ClamAV with negative results.

[4] d5bd8d4a3841d0e6d455ba244be1f4d5  760606.xls

Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


523 Posts
ISC Handler
Apr 5th 2020
File is here: is dridex loader.

Sign Up for Free or Log In to start participating in the conversation!