Airo Safety Reported – Enemy utilizes difficult method of Excel 4.0 in Malspam project


Approximated analysis time: 5 mins

Use Phishing e-mails is not brand-new for cyber-attack as well as is still among the traditional approaches to jeopardize a sufferer’s device. Cyber lawbreakers draw sufferers to open up e-mail add-ons (primarily Doc as well as XLS data) by forging them to resemble essential one utilizing keyword phrases like billing, settlement, money, order and so on. Quick Heal Protection Labs observed one such kind of strike to jeopardize the sufferer.


In this strike, assailant initially sends out a phishing e-mail camouflaged as a crucial one as well as having a stand out paper as add-on. Below is a Phishing e-mail which was tracked throughout this research study.

Fig. 1: Phishing e-mail with stand out documents as add-on

On opening this stand out paper, it asks sufferer to “make it possible for macro” material to implement destructive VBA macro code in history.

Fig. 2: Motivate asking for to make it possible for Macros

There has actually been a surge in making use of VBA macro in Phishing strikes as well as this fad is not brand-new. There are means to spot this strike quickly. Thus enemies have actually altered their exploitation method as well as are utilizing Excel 4.0 macro nowadays.

Excel 4.0 Macro method is old however still reliable as all variations of Excel can run Excel 4.0 macros. In this method, macros are not saved in a VBA job, however are put inside cells of a spread sheet having features like Officer(), Stop(), Auto_Open() and so on. To fool the sufferer, enemies utilize concealing attribute of spread sheet as well as shop the macros inside it.

Adhering to is an instance that reveals the real macro code is concealed inside various other stand out sheet as well as utilizing unhide choice that sheet can be viewed as received Fig 3.

Fig. 3: Unhiding Excel Sheet

Listed below number reveals the precise code as well as circulation of implementation.

Fig. 4: Macro Code Implementation

Auto_Open() is a feature made use of to implement a code as quickly as workbook is opened up.

We can see in Fig. 4, Auto_Open feature will certainly implement Macro1() which implies code implementation will certainly begin with Row 4 which is Macro1. Afterwards, it will certainly call Macro2 (action 2) and after that following guideline which is 33 (on Row 14) is implemented. Symphonious 3, 1 st phase haul is being downloaded and install at % temperature% folder utilizing msiexec.exe procedure as received Fig 5.

While msiexec.exe is a reputable Microsoft procedure, it is just one of the binary from living of the land which comes from the Windows Installer Element. Cyberpunks are utilizing this procedure to download and install haul as lots of protection remedies treat this as Whitelisted procedure that makes it tough to spot utilizing behavior discovery method.

Fig. 5: Download And Install of 1 st Phase Haul

Executable Evaluation:

After downloading and install a haul, msiexec.exe is likewise liable to implement the haul as well as executes more task. The 1 st phase haul is simply a dropper which is made use of to go down numerous data in the % temperature% folder. Ultimately, it goes down a.dll documents which works as last haul as well as it is made use of to carry out more destructive tasks.

The last haul is implemented by Rundll32 exe with disagreement of feature name as “sega”. It begins accumulating system details such as variety of running jobs, system id, customer belongs to domain name or otherwise, drive uses and so on

Fig. 6: Implementation circulation of Assault

Last haul goes down a PowerShell manuscript which is liable to inspect whether customer belongs to domain name or otherwise. The went down PowerShell manuscript is saved at % temperature% area in obfuscated style.

After accumulating called for details from sufferer’s device, haul begins inscribing information utilizing straightforward LINK encoding as well as sends out information utilizing BLOG POST technique to its C2 web server.

Fig. 7: Information send out utilizing BLOG POST technique

Below is the screenshot of the translated information:

Fig. 8: Decoded information

C2 Web server reacts with a command after obtaining the information.

According to feedback, haul executes activity on sufferer’s device as it performs a net.exe with command “ internet customer/ domain name” as well as accumulates the details as well as returns to C2 web server.

Several of complying with features are made use of while sending out information to C2 web server.

Fig. 9: C2 interaction API calls

This haul likewise produces an international mutex to implement haul just for one incident.

Fig. 10: Produce international mutex

The major objective of this malware is to develop a backdoor which can be made use of to swipe system information as well as if system remains in domain name, it might carry out a side motion to develop a backdoor network.

Final Thought:

Use social design methods to jeopardize sufferer is a common technique as well as cyberpunks constantly maintain altering their strategies to escape AV discoveries by utilizing originalities like Excel 4.0 macro as well as authentic home windows procedure like msiexec.exe. Quick Recover as well as Seqrite venture protection remedies secure its individuals from such destructive e-mail add-ons as well as can likewise assist in recognizing remote Command as well as Control web server interaction. So, bear in mind to maintain the endpoint protection remedies constantly upgraded.


78 EA9835 C2D7F6760315 EA043807 B8C8

34 B769 FA431 A/C1945 BE9CC33 D4CC2426

DDAE8B7AA9A93 CE17610 EB063 F5838 CE

6675 C63 A2534 FD65 B3B2DA751 F2B393 F

Topic Professional:

Anjali Raut, Aniruddha Dolas

Have something to contribute to this tale? Share it in the

Airo AV Computer System Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top