Distribution of Excel File with Malicious Macro Hidden ‘Deeper’ – very hidden
by AhnLab ASEC Analysis Team March 11, 2020.
An excel file that used a new method to hide a malicious macro has been discovered. This file used excel 4.0 (XLM) macro sheet and took a departure from the previous method of simply hiding a malicious macro. Now, hide property cannot be removed using the normal user interface. Because it doesn’t use VBA macro code method and XLM macro sheet cannot be checked directly, the users cannot easily check where the malware exists within the document file.
- Filename – invoice_805274.xls
- Date created – March 9, 2020. 15:30:32
- MD5 – a7b074da0251f0f8952090967846737e
Malicious files that use excel 4.0 macro sheet were actively distributed in the early 2019. The distributed files at that time did ‘hide’ a macro sheet and activated malicious features only, while keeping the code hidden from the user. During this time, users could use unhide feature to check the sheet. Files distributed this time however, do not have the ‘unhide’ feature activated to begin with, making it difficult for the user to even raise suspicion on or check the existence of the macro sheet. The things that remain unchanged are the consequence of extracting macro code within the file, and the fact that the malicious features are still run.
※ Check excel 4.0 (XLM) macro sheet –https://asec.ahnlab.com/1232
Unhide feature is deactivated because the macro sheet was created with ‘very hidden’ property. While a hidden sheet gets a ‘hidden’ property, a ‘very hidden’ sheet hides the fact that it is hidden. It is a property that cannot be granted to a macro sheet via ordinary user features granted by excel. Upon checking the binary that forms the macro sheet of the malicious file, one can see that ’01’ (Excel 4.0 macro sheet) is set to the value of ’02’ (very hidden).
To view a macro sheet that’s very hidden, the user must open the file directly with a hex editor and edit the property to ’00’ or ’01’, or use a bit of VBA code to find the sheet and set all the properties to visible. The existence of cell formula within the macro sheet was found via a tool, and the call structure of the formula was checked directly via the sheet. The name of the hidden macro sheet is ‘sygfdfdfdesie,’ and the formula in an obfuscated form that forms cell was found. The malicious file connects to hxxp://gembeap.com/myknt7lx250y8u3/okbdy.exe and downloads malicious EXE file with the purpose of stealing banking info.
By hiding the macro sheet deeper with very hidden property, the attacker can bypass the existing detection method and keep malware unnoticed as much as possible. This method is not a commonly found method in excel files yet, but security experts must take a close look at the changes.
AhnLab’s V3 products detect the malware under the following aliases:
– Downloader/Xls.Generic (2020.03.10.04)