A couple of people shared recent maldocs with me, like this one.

These turn out to be Excel spreadsheets with Excel 4 macros, saved using Excel 95 file format. This format uses BIFF5/BIFF7 records (a workbook stream is composed of BIFF records).

I've updated my plugin plugin_biff.py to recognize this format:

For the BIFF record 0809, the beginning of file record (BOF), my plugin now indicates BIFF5/BIFF7 for this ancient format.

If this spreadsheet is password protected, a FILEPASS record will follow the the BOF record. The data of all BIFF records following this FILEPASS records is encrypted (except for a few record types). The encryption is XOR or RC4.

In this example, the encrypton is "XOR obfuscation" and it predates the BIFF8 format.

Unfortunately, I didn't find open source tools to decrypt this ancient format.

msoffice-crypt.exe does support XOR obfuscation, but only for the BIFF8 format. Not older formats like this one.

msoffcrypto (used by my tool msoffcrypto-crack) does not yet support XOR obfuscation. This is on the todo list.

Dynamic analysis is required to extract the IOCs of maldocs like these.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com