Over the last few years we have received a number of emails with attached Word files that spread malware. Now it seems that it is becoming more and more popular to spread malware using malicious Excel files. Lately, Fortinet has collected a number of email samples with Excel files attached (.xls, .xlsm) that spread malware by executing malicious VBA (Visual Basic for Applications) code.
VBA is a programming language used by Microsoft Office suite. Normally, VBA is used to develop programs for Excel to perform some tasks.
I’ll use two examples to explain how Excel files can be used to spread malware.
When the infected file is opened in Excel, a message pops up asking the user to enable the macro security option by clicking the “Enable Content” button. Once the macro function is enabled, the malicious VBA code inside the sample is executed. See Figure 1.
Figure 1. An Excel message to enable macros
The file in this example is an OLE format Excel file that was collected on Feb 27, 2017. Its original file name is “payment.xls”, which was detected as virus “WM/Agent.D9E2!tr.dldr” by Fortinet because it contains malicious VBA code.
Figure 2. The OLE structure of this sample
From the parsing result of the OLE file analysis tool, the malicious VBA code exists in the Module1 stream. So I extracted the VBA code from it.
As you can see from the above VBA code, there is a function named “Auto_Open”, which is called automatically when the file is opened in Excel. Based on our analysis of other malicious VBA-based samples, the functions “ShellExecute”, “Shell”, “WScript.Shell”, and “Run” are usually called to execute DOS commands. In this sample, the “Shell” function is called at the bottom to execute the malicious command.
This VBA code is easy to understand. First, it creates some arrays with short names by calling the Array function. Second, it generates some strings by concatenating elements of the arrays by their indexes. Finally, it puts the strings together in a special order to generate the final command string.
Actually, this is a kind of code obfuscation technique used to avoid being detected and analyzed. The final string is the malicious command being executed by the “Shell” function. In this sample, the first parameter “ugsubpox” holds the command string.
Figure 3. Analyzing the VBA code
As analyzed in Figure 3, here is the string in the variable “ugsubpox”:
It looks weird because of the code obfuscation. We can see a DOS command will be executed by calling cmd.exe. There are many ‘^’ symbols in this command, but we can directly ignore them because ‘^’ in DOS shell is the escape character. So, after removing all the ‘^’ symbols and changing all the characters to lowercase because Windows commands are not case-sensitive, the string looks clearer and is easier to understand:
“cmd.exe /c” initiates running a new cmd shell, executing the command specified by the string, and terminating it. As a result, executing this command will download an .exe file into “%appdata%.exe” and execute it.
In fact, the downloaded .exe file is a downloader of Dyzap malware. Later, it will download another .exe file called “paray.txt”, the new variant of Dyzap, and run it to keep stealing credentials from infected systems. Finally, the stolen credential data is encrypted and sent to its C&C server.
For more information about Dyzap, you can read the blog from Bahare Sabouri and He Xu.
In our collection system we gathered lots of Excel samples containing similar VBA code. They are used to spread different kinds of malware, including Trojans, Ransomware, Spyware, Bots, etc.
Another Excel malware sample was first collected in our system on Feb 27, 2017. It’s also an OLE format file.
This sample contains modules and controls. Here is its structure.
Figure 4. The OLE structure of this sample
From the parsing result of the OLE file analysis tool, we can see the VBA code is stored in streams “_VBA_PROJECT_CUR/VBA/ThisWorkbook”, “_VBA_PROJECT_CUR/VBA/Module1”, and “_VBA_PROJECT_CUR/UserForm1/o”. Inside the VBA project there is a “TextBox” control. Its “Text” property contains malicious code, which is invisible by default. It can be accessed easily by VBA code. See Figure 5, below.
Figure 5. Malicious code hidden in TextBox control
Once this sample is opened in Excel, the function “Workbook_Open” inside the stream “ThisWorkbook” will be called if the Macro security option is enabled. The VBA code is designed to extract the malicious code from stream “_VBA_PROJECT_CUR/UserForm1/o” into a file called “gtls.vbs” and then execute it.
When going through all the code you can easily understand its purpose. When it is executed it downloads a file from “hxxp://****anox.comxa.com/dix/disk” into “%appdata%\disk.exe”. The file “disk.exe” is executed by calling “oShell.Run”. See Figure 6, below.
Figure 6. The properties of the downloaded file
After a quick analysis we can see that this is a new variant of Strictor, which is ransomware. Fortinet has been identified it as virus “W32/Delf.EFUQ!tr”.
Based on our observation, we are seeing an increase in the number and kinds of malware being spread by Microsoft Office files, like what we have shown in the above Excel samples. To protect against them, users should be very careful when opening files with Microsoft Office attachments from untrusted sources.