Malicious Excel 4.0 Macros
2022-09-23, 18:00–18:50, Tesla

A multitude of adversaries beginning around February of 2020 have been abusing an old feature of Microsoft Excel as a novel malware delivery method. The Excel 4.0 macros (XLM) feature was introduced in Excel version 4.0 way back in 1992. This style of macro predates the also commonly abused Visual Basic for Applications (VBA) macros. Some of the early adopters of this variation of the technique were found to deliver Zloader and Dridex. As time went on, many different adversaries adopted this technique. Quite a bit of research has been done to extract and analyze the contents of the macros to find payloads and callback URLs. By building off the previous research, what is presented here is a deep dive into how to detect the presence of these macros in an Excel compound file in the first place. There are three basic categories of indicators which can be identified: i) the beginning of file (BOF) record, ii) the boundsheet record, and (iii), a property record found in the document summary information stream. While conducting this research, it was apparent how hard it can be to differentiate various flavors of Microsoft compound files from one another. Therefore, as a bonus, a method for identifying Excel files from among the other multitude of compound files is also detailed.