0

A hour ago we receive a suspicious mail targeting some of our mailing lists. It contains a .zip file, itself containing a .xlsm file.

This .xlsm file appears to be recognized as an ASCII text file from the file utility and olevba:

olevba 0.56.1.dev2 on Python 2.7.16 - http://decalage.info/python/oletools
===============================================================================
FILE: ./Document23312_backup.xlsm
Type: Text
-------------------------------------------------------------------------------
VBA MACRO ./Document23312_backup.xlsm
in file: ./Document23312_backup.xlsm - OLE stream: ''
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

### BEGINNING FILE CONTENT ###

HupKasOthobiarHofrigNioggEgDabHeegantyeeg3quadWozUdAirgiankejrickUphPikUsedbedTaryoofog/
CatsidcerOdiberboipmoawgoojurr8GlerfEurryasOpchynghoojyovshobtoonshAnsIdair&quadbyxEigufOvCiatvocsho
OovChorOseskajnitdyodkeapApcoHacKubFoondamUbwicveljOvJenrocsyapdivomret7OnsOcbucUj,
`ovWedEijopEydFalquehobisib_DakVuktadAdFuNucPhooz2
JaFrarn2ocDoojNowdyasofJighfalhumVeitMuAnriHeptowpEzSaFru4ghipGhowuvViVophOwd:Okijhuf
)OtyijwushouritoagceyfuojbiocIkajbacodoc8

### END FILE CONTENT ###

No suspicious keyword or IOC found.

As we does not have sandboxes, we did not open the document with Microsoft Excel.

We're surprised by these three factors:

  • file is sent using spearphising
  • file pretends to be a .xlsm document, but is an ASCII text file
  • file content looks encrypted or encoded

We're not IT experts so we're distraught about this file. Could it be a virus, or part of it? What could be its motivations? If it's a stagger, is there any way to identify IPs from which it'd load payloads?

Anders
  • 64,406
  • 24
  • 178
  • 215
Sumak
  • 101
  • 1

1 Answers1

4

.xlsm files are equivalent to .xlsx, except that macros are automatically enabled. Macros are very dangerous and equivalent to arbitrary code execution on your computer, and you should never accept them from the Internet—when you get a .xlsm file, you should rename it to .xlsx before opening, so as to neuter its macros.

I've never used Olevba before, nor the VBA language that MS Office macros are written in, so I'm not sure how to interpret the output in the question. However, it says VBA Macro quite prominently on the sixth line—and the shown macro, while it doesn't look like valid VBA code I've seen, could work somehow else (does MS Office have a way to "encrypt*"/obfuscate macros, or VBA have sufficient permissiveness in its evaluation or preprocessing for an analogy of JSFuck or IOCCC's tricks?). I'd throw this file out, to be safe—there's most assuredly nothing useful to be gained in it. If the macro is indeed actual code and not just a corrupted, mangled mess, then the .xlsm is just a clever way to trick you into opening the file, and in other respects the answers to all your questions are identical to how it would be for a .exe:

  • Could it be a virus, or part of it? Absolutely. (Mind, as this bears a reminder, a virus is a program specifically that infects other programs to include itself—a program that merely does annoying things to thwart your natural use of your computer or to break the guarantees you rely on is a Trojan. This program could be either.)
  • What could be its motivations? Any kind of payload might be attached, to do any arbitrary things the malware author saw fit—from stealing data from your internal network, to operating a botnet, to hosting phishing sites on your Internet connection, to ransoming your files, to merely pranking you.
  • If it's a stagger, is there any way to identify IPs from which it'd load payloads? Someone who could figure out how to read that mess could try to reverse engineer it, the same way that you can read any code. VBA operates closer to high-level human concepts than, for example, raw machine code does, so if you can deobfuscate it, it should be pretty easy to tell what it's supposed to do (including contacting a remote server and downloading code from it). Alternately, one could take the lazy route, and just run it on a sandboxed VM / separate computer (beware of doing this on your internal network if you have any non-up-to-date machines, as you might release a worm travelling via public vulnerabilities you did not yet patch), and use a traffic monitor to see what it contacts.

* genuine encryption has an unrevealed secret key on which the security rests, and the actual implementation can be open and the encryption still secure if the key remains secret

iridia
  • 121
  • 2
  • Thanks for your explanations, it helps us understanding how could this gibberish be harmful. Though it doesn't look like an obfusquated VBA code, as there's no any keyword, but a string apparently made of random characters. I wonder if it could target MS Excel parser on a specific version... (as subtitles files can target video players: https://blog.checkpoint.com/2017/05/23/hacked-in-translation/) – Sumak Mar 18 '21 at 08:41