Last Updated: 2020-12-12 11:50:39 UTC
by Didier Stevens (Version: 1)
A couple of people shared recent maldocs with me, like this one.
These turn out to be Excel spreadsheets with Excel 4 macros, saved using Excel 95 file format. This format uses BIFF5/BIFF7 records (a workbook stream is composed of BIFF records).
I've updated my plugin plugin_biff.py to recognize this format:
For the BIFF record 0809, the beginning of file record (BOF), my plugin now indicates BIFF5/BIFF7 for this ancient format.
If this spreadsheet is password protected, a FILEPASS record will follow the the BOF record. The data of all BIFF records following this FILEPASS records is encrypted (except for a few record types). The encryption is XOR or RC4.
In this example, the encrypton is "XOR obfuscation" and it predates the BIFF8 format.
Unfortunately, I didn't find open source tools to decrypt this ancient format.
msoffice-crypt.exe does support XOR obfuscation, but only for the BIFF8 format. Not older formats like this one.
Dynamic analysis is required to extract the IOCs of maldocs like these.