 I received a malicious spreadsheet that can be analysed with TullyDump, and as you can see here there are no macros and so there are no containers with VBA and there is no M indicator. The only thing that you can see is the summary information, the two streams that you will always find and then the workbook stream, which is also normal for the old binary file format for spreadsheets. What you actually have to do is look inside this stream and you can do that with my BIFF plugin. So a plugin is executed with option P and we are using the BIFF plugin. BIFF is the file format of Excel, but the very old file format even before there was an XLS file format using the OLE binary data. So this is very old file format, but it is still used inside the streams now, inside the workbook stream. So and if I run this, then you get this output. Each line here is a BIFF record found in that stream. And if we scroll back, okay, here you can see self-formulas and a string value and here you can see here an msiexec.exe with a URL. So this is what looks like to be the URL used by the command executed by the downloader here. Now the plugin takes options and you use the OLE dump option plugin options to pass options to the plugin. What we are going to run is H to get help, but since this option H is not to be interpreted by OLE dump, but by the plugin, we have to escape it here, like for example in double quotes so that it doesn't get interpreted like this. And then you get the help for the plugin and not the help for OLE dump. So and I have option X, with option X, you will see all the relevant records for Excel 4.0 macros and all the other records will be hidden, they will not be displayed. So let's do this, okay, and with this information you can immediately see that this is malicious. First of all you have macros because you have a sheet, 4.0 macrosheet and it is hidden. You have labels, one of the labels is auto underscore open. So this one will run the macros when the spreadsheet is opened. And what commands are executed, well you have to look into the formulas, but here there is an exec, executing something. What is being executed, well here is a concatenate function that takes five arguments and right after that cell there is a string value of formula. So the result of this concatenation is also stored in the spreadsheet and you can see it here, MSIexec, return 185, the URL and the temp. So this will download an MSI file and execute it through MSIexec. Now this string here is built up by the concatenate function by referring here to different cells and we can also find them if we run olidump with plug in BIFF and plug in options O to look for opcodes and we want opcodes that contain string in their description and the word string and here you get different opcodes that contain the word string in their description like a cell view of value string constant and here you have a shared string table and SST. So let's search for that SST like this and here you have all the SSTs. And now you can also use an option S and this will dump all the strings that it finds in the data. And here you can see the different parts that are concatenated together to create that command that is executed by the Excel macro 4.0.