 Hello, I'm Gidius Tevens, senior handler with the Internet Storm Centre. Now in this video we are looking at a malicious spreadsheet that uses Excel 4.0 macros. So when Excel was released in 1987, there were already macro capabilities, so you could write formulas into cells and then have a program executed. And it's in 93 with Excel 5.0 that VBA came out, Visual Basic for Applications. And that is not what we are looking at here. So it's not VBA, it's something that predates VBA, and here we are going to look how we can analyse this. So we have our sample here that I'm going to analyse with OleDump. And as you can see here, just three streams, two summary information streams and a workbook stream. Now if there would have been VBA, then you would have VBA streams. And let me show you an example that I made here. That's what you would expect if it contains VBA code. You have VBA streams and also the indicator CM. But in our sample, that's not the case. That's because in our sample, older technologies used Excel macros, macro 4.0. And this is very old technology from 1987, but it is still supported. Even in Excel 2019, you can still create spreadsheets with those macros. And those macros are actually stored in the workbook. Now with OleDump, you can select stream tree, the workbook stream. Let's pipe this through less and then you get output like this. So on hexadecimal askidump. Now the data inside the workbook is organised with the TLV records for type, length and value. And here you have two bytes that indicate the type and it's little Indian. So the type here of that first record is 0809. Then you have two bytes with the length, also little Indian. And so that is 0010, so that's 16 bytes. And so all the 16 bytes here that make up the data. And then you have the second record, 00E1. That's a type, the length is 002, so that's the value and so on. Now that's very hard to analyse like this and that is why I have a plugin to do that for us. And that's plugin BIFF, because BIFF, that's that old file format used for Excel with those TLV records. And we can do this. Okay, and then indeed you see what I told you, you have first the record with type 0809, length 16. And that is the beginning of file record. And then you have another one, two bytes long, that's the interface header and so on. So you add a lot of records. And if we scroll through this, we will find records that represent a sheet here. Bound sheet, and we have two of them. That is for a sheet inside the workbook, sheet information. And you can see that this one here, this record has the type Excel 4.0 macro sheet and it is hidden. While the other sheet is a normal sheet and is visible. So this is a strong indication that we are dealing with something malicious and because we have old macros in the code. And then if you continue here, you see cell values and here for example are to open and so on. So you must find then the formula records like here and the formula records and the string. Here we can see a command that would be executed. So you have to scroll through this to find all the relevant information. But I have added an option to my plugin, plugin BIFF that helps select you all the relevant macros, sorry, records when it comes to Excel 4.0 macros. So you take the plugin options and that is option X. And I have to escape this because this is an option for the plugin. It's not an option for only dump like this. And then all the relevant macros, sorry, records are selected. Here you have the sheets. We see that we have an Excel 4.0 macro sheet that it is hidden. We have a couple of labels. One of them is auto underscore open. So that makes that the macros will run automatically when the spreadsheet is opened and the warnings are clicked away. And here you have different formulas in the cells. You have here an exec function that is called inside that formula. So that will execute something. And what is being executed? Well, here you have a concatenate function called in this formula that concatenates here for different arguments. And you can here see the references to the different arguments for arguments that are then concatenate together. And then immediately after that formula record, you have a string record that is the string value of the formula. And here we can see actually what is being executed. So MSI exec is executed and it will download an MSI file from this URL and execute it. So this is the result of the concatenation. The different parts that are concatenated together, you can also find them. So I can look for those opcodes that contain string. I mean that have in their description the word string. So that's option O with string. And here I have all the records, the opcodes that contain the word string in their description. And here you have rather large one, which is the shared string table. And the shared strings here are referenced in all those label SSD records. And those are references to the shared string table. And if I do this with option A, I will do an ASCII dump of the data for the records that are selected here. And here we have our shared string table. And you can see the different parts, fragments of the string that are concatenated together. Another thing that I can do is instead of doing ASCII dump, is using option S to extract all the strings from the data. And then you can clearly see here in the shared string table, you have strings micro 1, micro 2, MSI EX, and so on. And that's all that is being concatenated together. So that is how you analyze such old macros, I mean old technology macros. So with Ollydump, you take a look. If you see nothing for streams, but you see that it is a spreadsheet, then you have to look inside the workbook. So you run my plugin, plugin BIFF with plugin options X. The X is for XLM and that's the old extension for macros 4.0, so dash X. And then here you get all the relevant records if it contains a macro sheet. If there is no XL 4.0 macro sheet, then the output here will be 0. Like for example, if I do this on the workbook, the one with the VBA macros, not based on, sorry, book, like this here you see you get no output from the plugin. So it doesn't contain an XL 4.0 macro sheet.