Excel 4.0 Macro with Various Images being Distributed

Malware Analysis
1

The ASEC analysis team found that malicious Excel files using the Excel 4.0 macro (formula macro) have been continually distributed. The malware has been distributed indiscriminately through e-mails since May, and as it is still being discovered today, users need to take caution.

The malicious Excel files include images that prompt users to enable macros. Figures below show the files that are currently being distributed.

1023×647
Figure 1. Image within file (1)

1024×650
Figure 2. Image within file (2)

1024×651
Figure 3. Image within file (3)

1024×793
Figure 4. Image within file (4)

The malware sets particular cells with Auto_Open in the Name Manager. When macros are enabled, the formulas in the cells are automatically executed to perform malicious behaviors. Formulas usually exist in hidden sheets, and the column of cells with formulas may also be hidden so that those cells cannot be seen.

1024×677
Figure 5. Hidden sheets and Name Manager

1024×381
Figure 6. Hidden columns within the sheet

Besides hiding the sheets, recently discovered files concealed the names set in the Name Manager. As the ‘hidden’ property is given to the set name in the xl\workbook.xml file within Excel (see Figure 7), users usually don’t realize that there’s a set name when checking the Name Manager.

Figure 7. Inside xl\workbook.xml

968×288
Figure 8. Left: File with hidden property / Right: File with hidden property changed

Within the file, formula macros are either dispersed in different sheets or written in texts with white color just like in previous cases, making it difficult for users to recognize them.

1024×402
Figure 9. Formula macros dispersed and hidden in different sheets

1024×617
Figure 10. Formula macros dispersed and hidden

When the macro is executed, it uses the URLDownloadToFileA function like in previous cases to download additional malicious files. The URL for downloading additional files consists of hxxp://[IP]/[particular numbers or characters].dat or .png, .dat, etc. The downloaded malicious files are run through regsvr32.exe, and the behaviors confirmed by using AhnLab’s auto analysis system RAPIT are as follows.

715×161
Figure 11. Process tree

As the download is currently not performed, the team could not clearly identify the types of the downloaded malicious files, but it is likely that they are usually info-stealing malware such as TrickBot.

As Excel files with malicious macro sheets are mainly distributed using spam mails, users need to take extra caution for e-mails sent by unknown users. They should also refrain from running macros of document files attached to e-mails with unknown sources.

AhnLab’s anti-malware product, V3, detects and blocks the malicious Excel files introduced in the post using the aliases below.

[File Detection]

  • Downloader/MSOffice.Generic
  • Downloader/XML.XlmMacro

[IOC Info]

  • a40f40480e508854fd9f01682b0d64c2
  • ec642e8c5e02eb1e706b68dbfa87b22e
  • 5371c466a1f4c0083d4f9b7d6a2248e6

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Excel 4.0 Macro with Various Images being Distributed appeared first on ASEC BLOG.

Article Link: Excel 4.0 Macro with Various Images being Distributed - ASEC BLOG