threatintel

Excel 4.0 Macros - So hot right now...🔥🔥🔥

Analysis of Excel 4.0 macros and how to triage these .XLS files to gather IOCs from recent ITW samples such as ZLOADER, TRICKBOT and URSNIF.

Mark R

9 min read
Excel 4.0 Macros - So hot right now...🔥🔥🔥

TLDR: old forgotten feature gets abused..

In this case, Excel 4.0 macros (XLM). Originally posted about in 2018 by Outflank security team, a recent surge in activity by the various malware campaigns (ZLOADER/URSNIF/TRICKBOT) has obviously peaked some interest from criminal groups.

Take note, these XLM worksheets (.XLS) files have no VBA macro code so detection under AMSI will fail. XLS embedded macros are also supported under the latest versions of Excel - explaining why this is 🔥. Going to quickly cover analysis of the technique and how to triage these files to gather IOCS from recent ITW samples.

44tcyo

QUICK OVERVIEW

Excel 4.0 macros use formulas in various cells to execute code, top down, left to right and most likely located in hidden worksheets. Here is a unhidden example.

macro-1

helloworld

These macros are assoiciated with Excel 97-2003 Workbook .XLS files and are still supported by the latest versions of MS Excel.

The Binary Interchange File Format (BIFF) is the file format Microsoft Office Excel workbooks are saved to (aka *.xls)

BIFF

Some of the functions that are possible within XLM are documented Excel 4.0 Macro Functions Reference just to show you how powerful this can be. Pretty handy for debugging.

Operational tempo of XLM 4.0 weaponized documents. The LastLine security team posted a timeline of the last 6 months (up until April) of XLM attacks (not a new technique as mentioned above), which they group into 11 'clusters' showing the adaption, obsfucation, anti-analysis/sandbox evasion being used over time.

LastlineXLM_TimeLine

Graphics LastLine

XLM 4.0 ANALYSIS

Samples can evade automated sandbox analysis. Some recent samples are password protected, code is obsfucated, worksheets are hidden, aswell as serveral anti-sandbox checks, all leads to difficulties when assessing. Here are some tools and tricks to make it easier that I've come across.

email-1
(ITW ZLOADER example. Not sure why this macro sheet D is visible here?) Try example below;

doc_hidden

UNHIDE SHEETS

You'll need a hexeditor here (HxD or such) - Check out XLM specification - Sheet information is held in a 'BoundSheet' (85 00). If you search the XLS file for hex 85 00 and change the 9th byte to 00 instead of 01 hidden or 02 for super hidden. Save and open the file the sheet being visable once more. This gets tiredsome if there are numerous hidden sheets...

hex-2

hiddensheets18

aintgottim

ExcelSheetUnhide

LINK
One to help mass unhide multiple hidden sheets.

ExcelSheetUnhide v1.0.1
Author: DenK
Note that Excel editor is opened in the background with Macros disabled. Better use the script in VM.
-h: Show help, Syntax and Examples. Other switches will be omitted.
The Script is licensed under GNU General Public License v3.0
Visit Script's site page with manual and explanations: https://www.optimizationcore.com/excelsheetunhide
Visit GitHub page: https://github.com/denk-core/ExcelSheetUnhide
========================
Help, Syntax, Examples
========================
ExcelSheetUnhide v1.0.1
Author: DenK
-in: Input Excel file. Must include full path.
-out: Output Excel file that you want to save as after editing. Must include full path.
-c: Check for Hidden Sheets only.
-u: Check if Sheets can be Unhidden. You can use it with <-c> to check the Before Uhide status.
-e: Must be used with <-u> and <-out>. Export unhidden file and save as <-out>.
-f: Force overwrite the existing file in <-out>.
-v: Make the Excel execution visible. Since the Application that opens the Excel file opens in the background, you can show it with this switch.
-l: Leave the Excel opened and finish the switch without doing anything. Works only with <-v> switch. <-e>, <-out>, <-f> will be omitted.
---------------------------
Usage Example 1 - Check only for the hidden Sheets inside Excel document:
.\ExcelUnhideSHeet.ps1 -c -in 'C:\YourMalicious.xls'
---------------------------
Usage Example 2 - Open Excel Application, unhide the Sheets and terminate the script, leaving you the option of editing it or saving as you want:
.\ExcelUnhideSHeet.ps1 -u -v -l -in 'C:\YourMalicious.xls'
---------------------------
Usage Example 3 - Don't show Excel Application, Shows Sheets before Unhide, Unhide, Save as and overwrite if output file existent:
.\ExcelUnhideSHeet.ps1 -c -u -e -f -in 'C:\YourMalicious.xls' -out 'C:\YourUnhidden.xls'

.\unhide.ps1 -u -v -l -in C:\file.xls

unhide

Note: when running the ExcelSheetUnhide script, the Excel sheet will remain open for you to enter the password. Once complete check each sheet. Note, we see OCR evasion - no images being used for image recognition just plain text - simple and sneaky.

TIP: Once opened, keep in mind little security through obsecurity tricks (white fonts and formulas existing on row column Z just out of sight).

TIP: In MS Excel > Find & Select > Go To Special > Select Blanks > Press CTRL - > DELETE Shif Cells Up. This will help with analysis but will break the execution flow. Kudos ClickAllTheThings blog 👏

If you toggle the FORMULAS > Toggle off/on "Show Formulas" some IOCs will be visable but incomplete - this varies. The execution flow of the enabled macro will combine strings etc. to output a more complete result but we're not dynamically running this yet.

auto_open-1

TIP: Also, in Microsoft Excel for instance, "F5" - GO TO CELL ZYX can help you bounce around the sheet to manually analyse the sheets.

A WILD TOOL APPEARS!

By far the most complete is XLMMacroDeobfuscator by @DissectMalware but other tools such as OLEDUMP's BIFF plugin by @DidierStevens can be useful too. Of note ExcelSheetUnhide by DenK can help unhide multiple worksheets for manual analysis as above.

XLMMacroDeobfuscator

LINK

Excellent tool for defenders to analyse XLM documents and grab IOCs. Works 99% of the time and is actively being developed. Recently found out that CAPE sandbox supports XLMMacroDeobfuscator too.

XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator

usage: xlmdeobfuscator [-h] [-c FILE_PATH] [-f FILE_PATH] [-n] [-x] [-2]
                       [--with-ms-excel] [-s] [-d DAY]
                       [--output-formula-format OUTPUT_FORMULA_FORMAT]
                       [--no-indent] [--export-json FILE_PATH]
                       [--start-point CELL_ADDR] [-p PASSWORD]
                       [-o OUTPUT_LEVEL]

optional arguments:
  -h, --help            show this help message and exit
  -c FILE_PATH, --config-file FILE_PATH
                        Specify a config file (must be a valid JSON file)
  -f FILE_PATH, --file FILE_PATH
                        The path of a XLSM file
  -n, --noninteractive  Disable interactive shell
  -x, --extract-only    Only extract cells without any emulation
  -2, --no-ms-excel     [Deprecated] Do not use MS Excel to process XLS files
  --with-ms-excel       Use MS Excel to process XLS files
  -s, --start-with-shell
                        Open an XLM shell before interpreting the macros in
                        the input
  -d DAY, --day DAY     Specify the day of month
  --output-formula-format OUTPUT_FORMULA_FORMAT
                        Specify the format for output formulas ([[CELL-ADDR]],
                        [[INT-FORMULA]], and [[STATUS]]
  --no-indent           Do not show indent before formulas
  --export-json FILE_PATH
                        Export the output to JSON
  --start-point CELL_ADDR
                        Start interpretation from a specific cell address
  -p PASSWORD, --password PASSWORD
                        Password to decrypt the protected document
  -o OUTPUT_LEVEL, --output-level OUTPUT_LEVEL
                        Set the level of details to be shown (0:all commands,
                        1: commands no jump 2:important commands 3:strings in
                        important commands).

Quick install notes.

apt install python3-pip
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
pip3 install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip
/home/kali/.local/bin/xlmdeobfuscator -h

OLEDUMP

LINK

Has a recent BIFF plugin to parse XLM files.

Usage: oledump.py [options]

Options:
  -h, --help            show this help message and exit
  -s, --strings         Dump strings
  -a, --hexascii        Dump hex ascii
  -X, --hex             Dump hex without whitespace
  -b, --formulabytes    Dump formula bytes
  -d, --dump            Dump
  -x, --xlm             Select all records relevant for Excel 4.0 macros
  -o OPCODE, --opcode=OPCODE
                        Opcode to filter for
  -f FIND, --find=FIND  Content to search for
  -c, --csv             Produce CSV
  -j, --json            Produce JSON
  -r CELLREFFORMAT, --cellrefformat=CELLREFFORMAT
                        Cell reference format (RC, LN)

This unfortunately doesn't work well with password protected documents, so strip the passwords out first before analysis.

python oledump.py FILE.xls -p plugin_biff.py --pluginoptions "-h"
python oledump.py FILE.xls -p plugin_biff.py --pluginoptions "-x"
python oledump.py FILE.xls -p plugin_biff.py --pluginoptions "-o FORMULA"

How-to Remove Password Protection

Excel protected documents can be a pain for analysis - some tools don't support them. Samples used here had the .EML file which contained the password used to decrypt the file. Another way is to pivot using VT Graph to find relationships to source the original email.

If you know the password once opened you can remove it here. Now you can analyse the file with OLEDUMP/BIFF plugin.

remove-1

RECENT ITW SIGHTINGS

ZLOADER downloader, URSNIF banking trojan and TRICKBOT info-stealer.

ZLOADER

A malware downloader. Of note, there was an awesome deep dive by the CyberReason research team 👏 ZLOADER campaign

Full ZLOADER samples from;
https://www.malware-traffic-analysis.net/2020/06/09/index.html
https://www.malware-traffic-analysis.net/2020/06/18/index.html

zloader18

Instead use XLMMacroDeobfuscator with the following argument -p to specify the password protecting the document to get the full execution flow decoded output.
xlmdeobs

URSNIF/GOZI

Also reported by Morphisec team URSNIF banking trojan, using the same XLM + OCR evasion lure. See below;

ursnif

File VT LINK - United Office Choice7468.xlsm
MD5 a60580994af4859d54954cb1b867f6e3

downloads VT LINK - services.exe = URSNIF banking malware.
MD5 24cd1f4c43b982356a034aac64bd68d6

TRICKBOT

Pretty recent so snook this into the blog - 19th June

File VT LINK - PL-7849618.xls
MD5 97796056ec3985ae34f3557584f9eea8

downloads VT LINK - hfZroLh.exe
MD5 32c439481dcf8fdc6a9f30e6e556d95d

You can see the TRICKBOT TAG ono48 in the requested URL - quick search on Twitterverse and bam.

TRICKBOT

FINAL NOTES

Hopefully this will help with some basic analysis and exposure to weaponized XLM/XLS files and some of the available tools/projects out there. For static anlysis these tools do a pretty good job but ultimately live/non-sandboxed dynamic analysis in a secure lab environment might be a possible workaround until static analysis tooling is available/updated.

Definately one to watch 👀 as red/blue adapt to evade/detect...

commando

As I was compiling this post, this was released - a great follow on read. Like I said "So hot right now"
https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/

BLUETEAMTIP: if your investigating a possible phish that the user has clicked (then query this key for the recent location of the document) or need to reset macros for testing? (then delete the record) - check out this "Trusted Document" reference.

reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\<VERSION>\Excel\Security\Trusted Documents\TrustRecords"

excelmacro-2

DETECTION

Some open source YARA sigs doing the rounds.

  1. rule Excel_Hidden_Macro_Sheet by InQuest.
  2. rule MAL_Sharpshooter_Excel4 included with LOKI YARA scanner signature base. https://github.com/Neo23x0/signature-base

Example of LOKI YARA Scanner
loki-1

REFERENCES

BLUE 🔵

RED 🔴

From lateral movement to generation.

DigitalOcean Referral Badge