TLDR: old forgotten feature gets abused..
In this case, Excel 4.0 macros (XLM). Originally posted about in 2018 by Outflank security team, a recent surge in activity by the various malware campaigns (ZLOADER/URSNIF/TRICKBOT) has obviously peaked some interest from criminal groups.
Take note, these XLM worksheets (.XLS) files have no VBA macro code so detection under AMSI will fail. XLS embedded macros are also supported under the latest versions of Excel - explaining why this is 🔥. Going to quickly cover analysis of the technique and how to triage these files to gather IOCS from recent ITW samples.
Excel 4.0 macros use formulas in various cells to execute code, top down, left to right and most likely located in hidden worksheets. Here is a unhidden example.
These macros are assoiciated with Excel 97-2003 Workbook .XLS files and are still supported by the latest versions of MS Excel.
The Binary Interchange File Format (BIFF) is the file format Microsoft Office Excel workbooks are saved to (aka *.xls)
Some of the functions that are possible within XLM are documented Excel 4.0 Macro Functions Reference just to show you how powerful this can be. Pretty handy for debugging.
Operational tempo of XLM 4.0 weaponized documents. The LastLine security team posted a timeline of the last 6 months (up until April) of XLM attacks (not a new technique as mentioned above), which they group into 11 'clusters' showing the adaption, obsfucation, anti-analysis/sandbox evasion being used over time.
XLM 4.0 ANALYSIS
Samples can evade automated sandbox analysis. Some recent samples are password protected, code is obsfucated, worksheets are hidden, aswell as serveral anti-sandbox checks, all leads to difficulties when assessing. Here are some tools and tricks to make it easier that I've come across.
(ITW ZLOADER example. Not sure why this macro sheet D is visible here?) Try example below;
You'll need a hexeditor here (HxD or such) - Check out XLM specification - Sheet information is held in a 'BoundSheet' (85 00). If you search the XLS file for hex
85 00 and change the 9th byte to
00 instead of
01 hidden or
02 for super hidden. Save and open the file the sheet being visable once more. This gets tiredsome if there are numerous hidden sheets...
One to help mass unhide multiple hidden sheets.
ExcelSheetUnhide v1.0.1 Author: DenK Note that Excel editor is opened in the background with Macros disabled. Better use the script in VM. -h: Show help, Syntax and Examples. Other switches will be omitted. The Script is licensed under GNU General Public License v3.0 Visit Script's site page with manual and explanations: https://www.optimizationcore.com/excelsheetunhide Visit GitHub page: https://github.com/denk-core/ExcelSheetUnhide ======================== Help, Syntax, Examples ======================== ExcelSheetUnhide v1.0.1 Author: DenK -in: Input Excel file. Must include full path. -out: Output Excel file that you want to save as after editing. Must include full path. -c: Check for Hidden Sheets only. -u: Check if Sheets can be Unhidden. You can use it with <-c> to check the Before Uhide status. -e: Must be used with <-u> and <-out>. Export unhidden file and save as <-out>. -f: Force overwrite the existing file in <-out>. -v: Make the Excel execution visible. Since the Application that opens the Excel file opens in the background, you can show it with this switch. -l: Leave the Excel opened and finish the switch without doing anything. Works only with <-v> switch. <-e>, <-out>, <-f> will be omitted. --------------------------- Usage Example 1 - Check only for the hidden Sheets inside Excel document: .\ExcelUnhideSHeet.ps1 -c -in 'C:\YourMalicious.xls' --------------------------- Usage Example 2 - Open Excel Application, unhide the Sheets and terminate the script, leaving you the option of editing it or saving as you want: .\ExcelUnhideSHeet.ps1 -u -v -l -in 'C:\YourMalicious.xls' --------------------------- Usage Example 3 - Don't show Excel Application, Shows Sheets before Unhide, Unhide, Save as and overwrite if output file existent: .\ExcelUnhideSHeet.ps1 -c -u -e -f -in 'C:\YourMalicious.xls' -out 'C:\YourUnhidden.xls'
.\unhide.ps1 -u -v -l -in C:\file.xls
Note: when running the ExcelSheetUnhide script, the Excel sheet will remain open for you to enter the password. Once complete check each sheet. Note, we see OCR evasion - no images being used for image recognition just plain text - simple and sneaky.
TIP: Once opened, keep in mind little security through obsecurity tricks (white fonts and formulas existing on row column Z just out of sight).
TIP: In MS Excel > Find & Select > Go To Special > Select Blanks > Press CTRL - > DELETE Shif Cells Up. This will help with analysis but will break the execution flow. Kudos ClickAllTheThings blog 👏
If you toggle the FORMULAS > Toggle off/on "Show Formulas" some IOCs will be visable but incomplete - this varies. The execution flow of the enabled macro will combine strings etc. to output a more complete result but we're not dynamically running this yet.
TIP: Also, in Microsoft Excel for instance, "F5" - GO TO CELL ZYX can help you bounce around the sheet to manually analyse the sheets.
A WILD TOOL APPEARS!
By far the most complete is XLMMacroDeobfuscator by @DissectMalware but other tools such as OLEDUMP's BIFF plugin by @DidierStevens can be useful too. Of note ExcelSheetUnhide by DenK can help unhide multiple worksheets for manual analysis as above.
#XLMMacroDeobfuscator v0.1.4 is out— Malwrologist (@DissectMalware) May 31, 2020
1⃣11 new functions: WHILE, SET[.NAME, ACTIVE.CELL, SELECT, REGISTER, ...
2⃣Outputs shellcodes: VirtualAlloc, WriteProcessMemory, RtlCopyMemory
4⃣Decrypts protected files --password
pip install -U XLMMacroDeobfuscator pic.twitter.com/PDsbZ3jaMf
Excellent tool for defenders to analyse XLM documents and grab IOCs. Works 99% of the time and is actively being developed. Recently found out that CAPE sandbox supports XLMMacroDeobfuscator too.
XLMMacroDeobfuscator(v0.1.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator usage: xlmdeobfuscator [-h] [-c FILE_PATH] [-f FILE_PATH] [-n] [-x] [-2] [--with-ms-excel] [-s] [-d DAY] [--output-formula-format OUTPUT_FORMULA_FORMAT] [--no-indent] [--export-json FILE_PATH] [--start-point CELL_ADDR] [-p PASSWORD] [-o OUTPUT_LEVEL] optional arguments: -h, --help show this help message and exit -c FILE_PATH, --config-file FILE_PATH Specify a config file (must be a valid JSON file) -f FILE_PATH, --file FILE_PATH The path of a XLSM file -n, --noninteractive Disable interactive shell -x, --extract-only Only extract cells without any emulation -2, --no-ms-excel [Deprecated] Do not use MS Excel to process XLS files --with-ms-excel Use MS Excel to process XLS files -s, --start-with-shell Open an XLM shell before interpreting the macros in the input -d DAY, --day DAY Specify the day of month --output-formula-format OUTPUT_FORMULA_FORMAT Specify the format for output formulas ([[CELL-ADDR]], [[INT-FORMULA]], and [[STATUS]] --no-indent Do not show indent before formulas --export-json FILE_PATH Export the output to JSON --start-point CELL_ADDR Start interpretation from a specific cell address -p PASSWORD, --password PASSWORD Password to decrypt the protected document -o OUTPUT_LEVEL, --output-level OUTPUT_LEVEL Set the level of details to be shown (0:all commands, 1: commands no jump 2:important commands 3:strings in important commands).
Quick install notes.
apt install python3-pip curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py pip3 install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip /home/kali/.local/bin/xlmdeobfuscator -h
Has a recent BIFF plugin to parse XLM files.
Usage: oledump.py [options] Options: -h, --help show this help message and exit -s, --strings Dump strings -a, --hexascii Dump hex ascii -X, --hex Dump hex without whitespace -b, --formulabytes Dump formula bytes -d, --dump Dump -x, --xlm Select all records relevant for Excel 4.0 macros -o OPCODE, --opcode=OPCODE Opcode to filter for -f FIND, --find=FIND Content to search for -c, --csv Produce CSV -j, --json Produce JSON -r CELLREFFORMAT, --cellrefformat=CELLREFFORMAT Cell reference format (RC, LN)
This unfortunately doesn't work well with password protected documents, so strip the passwords out first before analysis.
python oledump.py FILE.xls -p plugin_biff.py --pluginoptions "-h" python oledump.py FILE.xls -p plugin_biff.py --pluginoptions "-x" python oledump.py FILE.xls -p plugin_biff.py --pluginoptions "-o FORMULA"
How-to Remove Password Protection
Excel protected documents can be a pain for analysis - some tools don't support them. Samples used here had the .EML file which contained the password used to decrypt the file. Another way is to pivot using VT Graph to find relationships to source the original email.
If you know the password once opened you can remove it here. Now you can analyse the file with OLEDUMP/BIFF plugin.
RECENT ITW SIGHTINGS
ZLOADER downloader, URSNIF banking trojan and TRICKBOT info-stealer.
A malware downloader. Of note, there was an awesome deep dive by the CyberReason research team 👏 ZLOADER campaign
Instead use XLMMacroDeobfuscator with the following argument
-p to specify the password protecting the document to get the full execution flow decoded output.
Also reported by Morphisec team URSNIF banking trojan, using the same XLM + OCR evasion lure. See below;
File VT LINK - United Office Choice7468.xlsm
downloads VT LINK - services.exe = URSNIF banking malware.
Pretty recent so snook this into the blog - 19th June
File VT LINK - PL-7849618.xls
downloads VT LINK - hfZroLh.exe
You can see the TRICKBOT TAG ono48 in the requested URL - quick search on Twitterverse and bam.
⚠️#Malware #Trickbot ono48 from XLS #opendir— reecDeep (@reecdeep) June 18, 2020
XLS > EXE
hxxps://playthefinancialgame.com/createfoldernow/ppos8.phphttps://t.co/b04JWmuY66@abuse_ch @JAMESWT_MHT @malware_traffic @malwrhunterteam @CapeSandbox
Hopefully this will help with some basic analysis and exposure to weaponized XLM/XLS files and some of the available tools/projects out there. For static anlysis these tools do a pretty good job but ultimately live/non-sandboxed dynamic analysis in a secure lab environment might be a possible workaround until static analysis tooling is available/updated.
Definately one to watch 👀 as red/blue adapt to evade/detect...
As I was compiling this post, this was released - a great follow on read. Like I said "So hot right now"
BLUETEAMTIP: if your investigating a possible phish that the user has clicked (then query this key for the recent location of the document) or need to reset macros for testing? (then delete the record) - check out this "Trusted Document" reference.
reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\" reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\<VERSION>\Excel\Security\Trusted Documents\TrustRecords"
Some open source YARA sigs doing the rounds.
- rule Excel_Hidden_Macro_Sheet by InQuest.
- rule MAL_Sharpshooter_Excel4 included with LOKI YARA scanner signature base. https://github.com/Neo23x0/signature-base
Example of LOKI YARA Scanner
- VIDEO - Colin Hardy https://www.youtube.com/watch?v=XnN_UWfHlNM
- VIDEO - DissectMalware https://www.youtube.com/watch?v=QBoj6GB79wM
- VIDEO - Didier Stevens https://www.youtube.com/watch?time_continue=3&v=Y7IP0pksEb8&feature=emb_logo
From lateral movement to generation.