More Excel 4.0 Macro MalSpam Campaigns

In light of the recent blog by my colleague Rodel Mendrez, we looked back at previous spam encountered over the past month which leverages Excel 4.0 macros and found some interesting samples. Both campaigns are using a fake invoice theme and both utilize Excel 4.0 macro to download malicious binaries.

Sample 1: Hidden Excel 4.0 Macro Sheet Downloads Via Web Query

The attachment in the first spam campaign is an archive containing a fake invoice new_Invoice 0962.xls. As the fake invoice is an Excel file which follows the Compound File Binary Format (CFBF), we can extract its streams using 7Zip to gather more information about the attachment statically.

The Document Summary Information stream indicates that the attachment contains an Excel 4.0 macro. The Excel file has 2 sheets namely Sheet1 and 8XoaRgSmhZwAxAOJuv2a. Furthermore, Sheet1 has a reference to a cell or range of cells named SzpmQrOQq4E98Rm40RZ7.

Browsing the Workbook stream, two strings signifying an external data source connection will be made by the attachment are observed – a string ‘Connection’, and a URL ‘hxxps://emmnebuc[.]xyz/SDVJKBsdkhv1’.

The Workbook stream follows the Binary Interchange File Format (BIFF) specifications. Using the tool BiffView, we inspect the BIFF records of the attachment new_Invoice 0962.xls and focus on the records associated with the observations made above – BOUNDSHEET and DCONN.

The attachment has two BIFF BOUNDSHEET records and they hold the sheet information. The first record is for Sheet1, a visible worksheet while the second record is for 8XoaRgSmhZwAxAOJuv2a, a hidden Excel 4.0 macro sheet.

The BIFF DCONN record stores information about data connections. The file new_Invoice 0962.xls has a DCONN record and it indicates that Excel will perform a Web Query under a connection name “Connection” and the Excel object that is associated with this is Sheet1!SzpmQrOQq4E98Rm40RZ7.

Now equipped with the characteristics of new_Invoice 0962.xls, we can now investigate, in Microsoft Excel, more details about the macro and data connection.

Figure 6: The Unhide option of attachment’s Sheet1 is enabled if there is a hidden sheet

In Excel’s Formula tab under Name Manager, the Excel attachment has 5 defined names. The first 4 are defined names for cells in the hidden sheet 8XoaRgSmhZwAxAOJuv2a. The first defined name ‘Auto_Open’ serves as the autorun for the formulas contained in the macro sheet. The fifth name refers to the range of cells of Sheet1, and is the Excel object that will trigger the Web Query.

Figure 7: The Excel object linked to the data connection

Once the data connection setting is enabled, the Web Query will be immediately performed and its return value will be placed at Sheet1!$Y$100:$Y$103, the range of cells referred to by the fifth defined name.

The formula obtained through Web Query contains Excel 4.0 macro functions hence this will not work in Sheet1. If macros are enabled, they will be copied and eventually get executed in the Excel 4.0 macro sheet.

The downloaded formula serves as the second stage downloader. It will download a DLL from hxxps://emmnebuc[.]xyz/SDKVJBsaduv7, save it as an html file in %public% folder, and execute it. Unfortunately, the URL is no longer accessible as of this writing.

Sample 2: Very Hidden Excel 4.0 Macro Sheet Downloader

Figure 9: SEG displaying the 2nd fake invoice spam

Meanwhile, with the second spam sample, the Excel file is directly attached to the email. Using BiffView, we verified that invoice_372571.xls contains an Excel 4.0 macro.

Figure 10: The BIFF BOUNDHSEET records of the attachment invoice_372571.xls obtained using BiffView

Just like the first spam sample, the malicious behavior of the attachment arises from the use of an Excel 4.0 macro sheet. The macro sheet has a ‘very hidden’ characteristic hence it will not appear on the Unhide dialog box. To view the macro, we must modify its BIFF BOUNDHSEET record – the fifth byte of the first record shown in Figure 10 will be modified from 02h to 00h.

Figure 11: The modified attachment invoice_372571.xls showing the Name Manager contains just 1 defined name. The initially ‘very hidden’ macro sheet can now be seen when the Auto_Open reference is clicked

The macro sheet contains a series of RUN functions starting from the Auto_Open reference cell and this will lead to the execution of the formula in sygfdfdfdesie!$CY$375. The attachment invoice_372571.xls will download hxxp://paypeted[.]com/esdfrtDERGTYuicvbnTYUv/gspqm[.]exe and execute it as C:\Intels\gift.exe.

Figure 12: The Excel 4.0 macro execution flow

Conclusion

Excel 4.0 macros were introduced almost 28 years ago and just a year after its launch, it was overshadowed by VBA which arrived in Excel 5.0. However recently, we have noticed that malware authors increasingly utilize this still supported functionality in Excel.

Malicious Excel 4.0 macros are more challenging to analyze and detect compared to VBA macro. VBA macros have their own dedicated streams whereas Excel 4.0 macro functions are stored in BIFF records in the Workbook stream.

Note, these threats will not work when macros are disabled in the Trust Center settings, just like VBA macros. So unless you are sure about the attachment and its source, don’t go enabling those macros.

IOC

new_Invoice 0962.xls (185344 bytes) SHA1: 16476552B017B61C01152D624F038BBE895E52EE
invoice_372571.xls (65024 bytes) SHA1: 960B8AE371021192490B5DA7911329ED2DBC837D