Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Maldoc: Excel 4 Macros in OOXML Format

Published: 2020-02-23
Last Updated: 2020-02-24 18:15:22 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I've mentioned Excel 4 macros before, a scripting technology that predates VBA.

In that diary entry, I handle .xls files (ole files). Excel 4 macros can also be stored in Office Open XML format files: .xlsm files.

If we take a look at an .xlsm file with Excel 4 macros with oledump.py, we'll get this output:

There is no ole file (vbaProject.bin) file inside an Excel 4 macro-only file.

We need to take a look with zipdump.py:

The presence of folder macrosheets tells us that there are Excel 4 macro sheets inside this file.

We can look at the content of the XML file:

And pretty-print it with xmldump.py:

Now it's easier to spot the formulas: EXEC("calc.exe") and HALT()

And the Auto_Open can be found in the worksheet XML file:

It's possible to have both macro types inside the same file: Excel 4 and VBA macros. I'll cover that in an upcoming diary entry.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: excel4 macros maldoc
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Simple but Efficient VBScript Obfuscation
Feb 22nd 2020
2 days ago by Xme (0 comments)

Quick Analysis of an Encrypted Compound Document Format
Feb 21st 2020
3 days ago by Xme (0 comments)

Whodat? Enumerating Who "owns" a Workstation for IR
Feb 20th 2020
4 days ago by Rob VandenBrink (0 comments)

Discovering contents of folders in Windows without permissions
Feb 18th 2020
5 days ago by Jan (0 comments)

curl and SSPI
Feb 17th 2020
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Wireshark - To analyze "TCP sequence numbers" or not to analyze.
created Feb 15th 2020
1 week ago by Anonymous (0 replies)

TikTok app possibly using DNS over HTTPS directly
created Feb 15th 2020
1 week ago by jauntysankey (0 replies)

Zip password recovery
created Jan 17th 2020
1 month ago by Anonymous (0 replies)

Strange Google-ish domain name lookups after update to Android 10
created Dec 21st 2019
2 months ago by jauntysankey (0 replies)

SANS IP data inconsistency
created Dec 14th 2019
2 months ago by phbits (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
8 months ago by Brad (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
8 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)