The ASEC analysis team found that malicious Excel files using the Excel 4.0 macro (formula macro) have been continually distributed. The malware has been distributed indiscriminately through e-mails since May, and as it is still being discovered today, users need to take caution.
The malicious Excel files include images that prompt users to enable macros. Figures below show the files that are currently being distributed.
The malware sets particular cells with Auto_Open in the Name Manager. When macros are enabled, the formulas in the cells are automatically executed to perform malicious behaviors. Formulas usually exist in hidden sheets, and the column of cells with formulas may also be hidden so that those cells cannot be seen.
Besides hiding the sheets, recently discovered files concealed the names set in the Name Manager. As the ‘hidden’ property is given to the set name in the xl\workbook.xml file within Excel (see Figure 7), users usually don’t realize that there’s a set name when checking the Name Manager.
Within the file, formula macros are either dispersed in different sheets or written in texts with white color just like in previous cases, making it difficult for users to recognize them.
When the macro is executed, it uses the URLDownloadToFileA function like in previous cases to download additional malicious files. The URL for downloading additional files consists of hxxp://[IP]/[particular numbers or characters].dat or .png, .dat, etc. The downloaded malicious files are run through regsvr32.exe, and the behaviors confirmed by using AhnLab’s auto analysis system RAPIT are as follows.
As the download is currently not performed, the team could not clearly identify the types of the downloaded malicious files, but it is likely that they are usually info-stealing malware such as TrickBot.
As Excel files with malicious macro sheets are mainly distributed using spam mails, users need to take extra caution for e-mails sent by unknown users. They should also refrain from running macros of document files attached to e-mails with unknown sources.
AhnLab’s anti-malware product, V3, detects and blocks the malicious Excel files introduced in the post using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.