Excel 4.0 Macro with Various Images being Distributed

The ASEC analysis team found that malicious Excel files using the Excel 4.0 macro (formula macro) have been continually distributed. The malware has been distributed indiscriminately through e-mails since May, and as it is still being discovered today, users need to take caution.

The malicious Excel files include images that prompt users to enable macros. Figures below show the files that are currently being distributed.

Figure 1. Image within file (1)

Figure 2. Image within file (2)

Figure 3. Image within file (3)

Figure 4. Image within file (4)

The malware sets particular cells with Auto_Open in the Name Manager. When macros are enabled, the formulas in the cells are automatically executed to perform malicious behaviors. Formulas usually exist in hidden sheets, and the column of cells with formulas may also be hidden so that those cells cannot be seen.

Figure 5. Hidden sheets and Name Manager

Figure 6. Hidden columns within the sheet

Besides hiding the sheets, recently discovered files concealed the names set in the Name Manager. As the ‘hidden’ property is given to the set name in the xl\workbook.xml file within Excel (see Figure 7), users usually don’t realize that there’s a set name when checking the Name Manager.

Figure 7. Inside xl\workbook.xml

Figure 8. Left: File with hidden property / Right: File with hidden property changed

Within the file, formula macros are either dispersed in different sheets or written in texts with white color just like in previous cases, making it difficult for users to recognize them.

Figure 9. Formula macros dispersed and hidden in different sheets

Figure 10. Formula macros dispersed and hidden

When the macro is executed, it uses the URLDownloadToFileA function like in previous cases to download additional malicious files. The URL for downloading additional files consists of hxxp://[IP]/[particular numbers or characters].dat or .png, .dat, etc. The downloaded malicious files are run through regsvr32.exe, and the behaviors confirmed by using AhnLab’s auto analysis system RAPIT are as follows.

Figure 11. Process tree

As the download is currently not performed, the team could not clearly identify the types of the downloaded malicious files, but it is likely that they are usually info-stealing malware such as TrickBot.

As Excel files with malicious macro sheets are mainly distributed using spam mails, users need to take extra caution for e-mails sent by unknown users. They should also refrain from running macros of document files attached to e-mails with unknown sources.

AhnLab’s anti-malware product, V3, detects and blocks the malicious Excel files introduced in the post using the aliases below.

[File Detection]

  • Downloader/MSOffice.Generic
  • Downloader/XML.XlmMacro

[IOC Info]

  • a40f40480e508854fd9f01682b0d64c2
  • ec642e8c5e02eb1e706b68dbfa87b22e
  • 5371c466a1f4c0083d4f9b7d6a2248e6

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments