Ninja Level Security

Excel Macros Unleashed: The Hidden Malware Threat

Excel Macros Unleashed: The Hidden Malware Threat

Static Analysis, Dynamic Analysis & Reverse Engineering of Excel Macros Malware

Bishwajeet Biswas's photo
Bishwajeet Biswas
·

3 min read

Table of contents

In the realm of cybersecurity, the unassuming Excel spreadsheet has become a battleground for cybercriminals. Excel macro malware, the silent saboteurs, lurk within seemingly harmless files, waiting to strike. Let's embark on a quest to decode their secrets.

File Hash & VT Analysis: Unveiling the Bad Boys

Before we embark on our journey through the Wannacry labyrinth, we must understand the first traces of its presence - 16e6489b81a41f0bfc2bc9bb0165b624c51ed4fecf6438c73a5ee6501caf34dc the infamous file hashes. Wannacry left its mark on various files, and VirusTotal analysis reveals just how widespread and infectious this malicious code was.

Basic Static Analysis: Strings, Secrets, and Path-etic Discoveries

Excel macros are notorious for hiding their true intentions. Strings and floss output offer a peek behind the curtain, revealing cryptic messages and commands. Our investigation kicks into high gear as we unzip files in search of hidden treasures.

Strings & floss output: Decrypting the Enigma

Deep within xl/vbaProject.bin, we stumble upon a mother lode of intrigue.

Deep within xl/vbaProject.bin

The raw bytes of the payload beckon, and with a little digital magic, we decipher the concealed PowerShell commands.

raw bytes of the payload beckon, and with a little digital magic, we decipher the concealed PowerShell commands

It's like decoding a message from a secret agent.

It's like decoding a message from a secret agent.

The Heart of the Enigma: Basic Dynamic Analysis

The Excel spreadsheet, once opened, serves as ground zero for the malware's launch. The unsuspecting victim may not notice, but a digital storm is brewing. But that's just the beginning of our adventure.

The Excel spreadsheet, once opened, serves as ground zero for the malware's launch.

Network Signatures: Unraveling the Web of Deceit

Our journey takes us to a digital crossroads - the domain http://srv3.wonderballfinancial.local/abc123.crt. It's here that the malware's web of deceit starts to unravel. We discover a callback on port 8443, a rendezvous shrouded in secrecy.

Host Indicators: The Game of Shadows

In this digital maze, Excel macros spawn PowerShell child processes, and the host http://srv3.wonderballfinancial.local becomes a key player in our intricate cyber drama.

The Grand Revelation: Basic and Advanced Dynamic Analysis

As our adventure unfolds, the true nature of this Excel macro malware is revealed. It turns out to be a remote access trojan (RAT), a digital spy hidden within a spreadsheet. Its mission: to infiltrate, exfiltrate, and wreak havoc.

As our adventure unfolds, the true nature of this Excel macro malware is revealed.

It turns out to be a remote access trojan (RAT), a digital spy hidden within a spreadsheet.

Summary:

  • It trying to call a host http://srv3.wonderballfinancial.local/abc123.crt and trying to download the exploit code on the disk in base64 format.

  • It uses certutil to decode the exploit code and save it as a PowerShell script.

  • It uses the 32-bit PowerShell to bypass the AMSI while running the PowerShell.

  • Looks like it is some kind of remote access trojan.

Conclusion: The Excel Macro Saga

Our quest into the labyrinth of Excel macro malware has been nothing short of thrilling. What initially appeared as a harmless spreadsheet hid a malevolent secret. As we close this chapter, remember that vigilance is our greatest weapon in the ever-evolving landscape of cybersecurity. Stay curious, stay cautious, and be prepared for the next enigmatic adventure in the digital realm.

#cybersecurityMalwaremalware analysisransomwareransomwareattack