A malicious Microsoft Excel 4.0 Macro sheet with a suspicious formula that is set as “Very Hidden” was analyzed by Trend Micro researchers. The sheet is not readily accessible via the Microsoft Excel User Interface (UI) due to a feature documented in the Microsoft website that allows users to hide sheets. The compromised files were commonly used as an attachment in spam.
Upon opening the file, it displays a message asking users to click the Enable editing button, then the Enable content button. Users who click these unwittingly enable the macro.
Figure 1. Prompt to enable editing and enable content
The researchers checked for the presence of the macro by opening the Visual Basic Editor. Upon launching, it was found that there were no macros present.
We examined the file structure further using an internal tool for analyzing OLE2 files. Through this, we discovered a macro sheet named “G5U1D5zEis,” which is set to “Very Hidden.” The document setting means the sheet is not readily accessible in any way via the Excel UI, as it is not visible in the users’ list of sheets, and cannot be unhidden unless another tool is used.
Figure 2. “Very hidden” status revealed
We modified the file to unhide the sheet. This revealed the contents of the document.
Figure 3. Obfuscated macro sheet contents
The content was revealed through deobfuscation, showing that the macro sheet has formulas that are set to run upon opening the document. It also calls the URL hxxps://grpxmqnrb[.]pw/ehrj4g9g.
Figure 4. Deobfuscated macro sheet contents
The URL, which has only been created recently, is the same as the one used in a recorded attempted attack of a similar nature against Intel 471. Below are related URLs found in VirusTotal:
Also, Excel files communicating to this URL (also found in VirusTotal) uses the same filename structure. Some of these documents are attachments on spam emails:
The URL hxxps://grpxmqnrb[.]pw/ehrj4g9g would redirect to hxxps://github[.]com/arntsonl/calc_security_poc/raw/master/dll/calc.dll. The file to be downloaded only executes the Windows calculator calc.exe. Due to this, it might seem like a decoy payload was received. But even though the URL doesn’t resolve and redirect to any addresses now, it still has the possibility of being up again with a different redirection and payload.
Figure 5. Downloaded file to execute calc.exe
The URL is already down at the time of writing. The URL structure, technique used, and macro code is similar to that of a campaign that delivered Zloader as a payload.
Defense against malicious files
Threat actors continue to conceal malicious code in seemingly harmless files while periodically exploiting new file types. These files are usually propagated through spam using socially-engineered techniques like citing current events such as the coronavirus (COVID-19) outbreak to grab the receivers’ attention and prompt them to download the attachments. Some even pose as legitimate, high profile organizations to gain the trust of the receivers.
To avoid compromise, users should never download attachments or click links from emails from untrusted sources. For emails seemingly sent by official organizations, uses should check with the said group’s official website for a press release regarding the email advisory or reach out to them through the contact details listed on the site to verify if they sent it. Users should also check for grammatical errors and misspellings in the email body, which are often a dead giveaway that the email is spam. Leveraging security solutions can also detect and block malware from entering via emails.