A couple of people shared recent maldocs with me, like this one. These turn out to be Excel spreadsheets with Excel 4 macros, saved using Excel 95 file format. This format uses BIFF5/BIFF7 records (a workbook stream is composed of BIFF records). I've updated my plugin plugin_biff.py to recognize this format: For the BIFF record 0809, the beginning of file record (BOF), my plugin now indicates BIFF5/BIFF7 for this ancient format. If this spreadsheet is password protected, a FILEPASS record will follow the the BOF record. The data of all BIFF records following this FILEPASS records is encrypted (except for a few record types). The encryption is XOR or RC4. In this example, the encrypton is "XOR obfuscation" and it predates the BIFF8 format. Unfortunately, I didn't find open source tools to decrypt this ancient format. msoffice-crypt.exe does support XOR obfuscation, but only for the BIFF8 format. Not older formats like this one. msoffcrypto (used by my tool msoffcrypto-crack) does not yet support XOR obfuscation. This is on the todo list. Dynamic analysis is required to extract the IOCs of maldocs like these.
Didier Stevens |
DidierStevens 638 Posts ISC Handler Dec 12th 2020 |
Thread locked Subscribe |
Dec 12th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!