The @InQuest crew has been putting some unusual documents out on the Twitters and I thought I’d take a closer look at one of them. And as ALWAYS, new documents are never that straight forward to analyze. Attackers always put a twist on what has already been done.
In this case, we’ve got an .xlsb file, XLM code, hidden sheets, protected sheets, and the ever-so-sneaky-hiding-in-plain-sight white font.
Here’s the doc: https://app.any.run/tasks/47e1c347-664c-4ada-9655-1724387e859e/#
Microsoft Excel Binary Spreadsheets (.xlsb)
I can’t say that I’ve ever seen these until now. They open and function like any other spreadsheet. The difference is under the hood. They store the spreadsheet using a binary format (BIFF12) rather than the typical .xlsx or .xls. This means that .xlsb files are usually bigger as they’re not compressed. Extremely complicated spreadsheets (ones with lots of formulas, charts, and shapes) can benefit from this file format as they may save and load much faster.
But this format means that some of our normal analysis tools do not work. For example, oledump can’t find any OLE objects in the file.
OfficeMalScanner will expand the document if you use the inflate option. However, the output doesn’t show the normal vbaproject.bin. There’s a ton of other files that are NOT vbaproject.bin. (Of course, there’s no vbaproject.bin. Oledump.py didn’t find any macros, right?)
In hindsight, all of these .bin files make sense as this is an .xlsb file. It certainly didn’t make sense the first time I cracked it open, though.
Analysis from within the document
First, there are a bunch of hidden sheets.
Quite a few of these sheets contain a lot of nonsense.
However, Auto_Open is pointing to Sheet11!A1. If we go there, we can see a empty columns containing XLM in white font.
And of COURSE we can’t edit the font because a bunch of these sheets are protected AND we don’t have the password!
It is possible to enable content and step through the XLM like we’ve done before. However, the other sheets contain macro code and characters that are spread out all over the place. That’s annoying enough to analyze even if it wasn’t in white font.
Unprotecting the sheets
All hope is not lost. We can bypass the protected sheets if we save the document in a different macro-enabled format like .xlsm. This will also change the worksheets from .bin files to .xml files. This will be important in a moment.
Change your newly created .xlsm file to a .zip and navigate your way into xl\worksheets and xl\macrosheets to find .xml sheets. We will un-protect these sheets by taking out a section called sheetProtection. Delete everything from <sheetProtection to its trailing />, including the two < > characters, and then save the .xml. Delete sheet protection wherever you find it.
You’ll have to drag the various .xml files out of the .zip file, edit them, and then copy them back into their appropriate locations. Finally, change the file from .zip to .xlsm.
Analyzing the XLM
Now that the sheets are unprotected, we can finally get rid of that white font and see the XLM. Auto_open is pointing to Sheet11!A1. I color-coded the extraneous lines and analyzed the three important =CALL() commands.
Ultimately, it downloads a .dll to C:\ProgramData\fps\ and registers that .dll via rundll32.exe.
As a bonus, Excel does some of the XLM concatenating for us making analysis easier. Here’s an example from Sheet1. You can see that cell L3 contains =CONCATENATE(Sheet…), but the cell itself shows the result.
Thanks for reading.