Application Vnd Ms Excel Sheet Binary Macroenabled 12 – Welcome! Today I want to write about a malware analysis I did recently. I read some information about Remcos RAT (Remote Access Trojan) infections with malicious macro on Brad Duncan’s website (https://www.malware-traffic-analysis.net/2022/01/04/index.html) saw a post with info. enabled Excel document Remcos was originally intended to serve as a legitimate tool for IT personnel computer control/management, but was widely misused by threat actors due to its prepackaged nature.
To get started, we have an eml file (email) that we need to view. This file gives us a lot of data to analyze, including attached content, email headers, and more. We can see that there is an attached file named “Payment Transfer Advice 000000202213.xlsb”. The Content-Type field indicates that the application is a macro-enabled Microsoft Excel sheet, and the Content-Transfer-Encoding field indicates that the data is Base64 encoded.
Application Vnd Ms Excel Sheet Binary Macroenabled 12
We can then copy and decode this base64 encoded data into CyberChef. So, at the beginning of the file header will appear other information, such as “PK”, which indicates a ZIP archive file. Microsoft Office files such as Word documents, PowerPoints, and Excel spreadsheets are actually multiple files in a ZIP archive. This, along with the Content_Types.xml line, indicates that this is indeed an Excel spreadsheet as stated in the email headers.
How To: Export / Backup Readium Chrome App Epub Database As Zip · Readium Readium Js Viewer · Discussion #755 · Github
We can also download a copy of the Excel spreadsheet using CyberChef by clicking on the diskette icon at the top right of the output area. Now get the hash for the spreadsheet and submit it to VirusTotal.
This is clearly a malicious file and has been identified by 30 vendors on VirusTotal. At this point, we need to see what information we can find about macros embedded in spreadsheets, because macros are actually components that contain malicious functions. Using OLEtools, we can easily get an idea of how this macro performs its malicious function.
The Olevba tool gives us some good information, showing that macros use the AutoExec function to run automatically after opening an Excel spreadsheet. It also tells us that the threat actor tried to obfuscate the macro function.
We can send this Excel spreadsheet to a test environment like Hatching Triage (https://tria.ge/) to learn more about its behavior.
A Complete List Of Mime Types
The inclusive triage results show that the Excel process creates the powershell.exe process as well as the ping.exe process, neither of which should be created from Excel. The threat actor uses a PowerShell script to ping google.com to see if the victim’s computer is connected to the Internet. If the victim has a connection, the first stage of the script called “misc.vbs” downloads and executes the payload. Note that the command to download the misc.vbs file is somewhat obfuscated by using reverse text that is overridden when the script is run. This is an attempt to avoid static detection by automated tools, but fails when a good analyst looks at it.
As we can see in the image above, the victim then downloads the misc.vbs file from the onedrive.live.com URL we saw in the PowerShell script. If we look at the misc.vbs file, we can see that it is very vague, but there is some information that we can extract from it. At the bottom of the file is an execute function with a hexadecimal coded argument, and this function decodes the argument into the payload address of the second stage.
This first step loads the second step and installs stability before installing the second step by writing it to the Windows registry.
At that moment, the victim reached out and demanded a second-degree charge. Note that the following information is marked as JScript code. This JScript then executes PowerShell with the supplied hex-encoded arguments.
How To Fix
After installing the final Remcos RAT payload, a clear pattern of C2 traffic is seen between the victim’s computer and the IP address 22.214.171.124 domain of “shiestynrd.dvrlists.com”.
Thanks for taking the time to read my blog post! I hope you enjoyed it and got something out of it. If so, please follow me and share this post. Also, special thanks to researcher Dmitriy Melikov for his excellent article with a very similar analysis. Come back soon!
From Infosec Writeups: There’s so much happening in Infosec every day that it’s hard to keep up.
Xml: Is It Possible To View Xml Files In Excel?
5 articles, 4 threads, 3 videos, 2 github repos and tools, and 1 job alert to get all the latest infosec trends for free!
$1000 Error Using Simple Graphql Introspection Query Welcome to my blog! In this post, I will discuss my experience in security testing the implementation of the app…
Memory forensics – process, DLL, console, process memory and network memory analysis is a useful and useful technique in malware analysis. The process of testing affected computers using various tools…
In the wake of the deadly #OSINTA terrorist attacks by Hamas against Israel, open source methods to monitor, research and investigate terrorist tunnels in Gaza…
Media Library: At Sites Unable To Upload .ppsx · Issue #30426 · Automattic/wp Calypso · Github
Cyber Defenders Challenge: Redline Walkthrough Hello everyone! After the positive response to my previous article on Dangerous Hunting and the Huffinum-APT issue, I am excited to…
DLL Reverse Engineering Hello everyone! Welcome to my blog post. Today I will explain how to parse EXE file with exported DLL. I think so…
Create a weather map in Python using the OpenWeather API. The current weather data provided by the Open Weather API allows you to get free weather data for anywhere on the planet. All of you…
How to detect fraud and shadow IT domains with Netlas.io? Phishing sites are a serious threat on the Internet. In this article, I will tell you how to avoid them using Netlas. In the second installment of our Uncompromising series, a member of the Red Canary incident response team analyzes a malicious Excel macro involving a Red Team client.
Application Vnd Ms Excel Template Macroenabled 12
A penetration test user recently contacted us about a suspicious email received by one of their employees. The attachment contained a Microsoft Excel workbook (.xlsm) containing a Visual Basic (VBA) macro – I know… and we were embarrassed.
As with any phishing campaign involving Microsoft Office files, the user had to be tricked into opening them. How did the sender engage the user, you ask? They used classic fishing bait in the subject line: “Annual Employee Evaluation Report.” I mean, how can you not open up and see how you were last year?! We were also curious, so we opened the app to see how the assessment went.
The content of the spreadsheet was immediately disappointing. There was no information about results, new salary, bonuses (I wanted to buy a boat!), and nothing.
Whether macros are enabled or not? That was the question… I really wanted this ship. What’s the worst that could happen? This macro is not going to calculate local system data or Active Directory data and send it back to the red team in this workbook… right?
How To Convert Office Documents To Pdf With Microsoft Graph
Interestingly, Safe Cell now displayed an error message: “Error 8415E1337: Data access timed out” (yes, “happened” is misspelled). The only way to find out what’s wrong is to look at the macro itself.
There are several ways to parse a macro, but my favorite method involves OLE tools. OLEVBA parses OLE and OpenXML and outputs VBA macro code to clear text, which was especially useful in this case, because an interesting fact: Microsoft Office documents are only special XML files.
. Calls the macro to execute after the file is opened (or after the macro is activated). If an error occurs, it passes to the called function
The six variables are set to values returned by the environment function, which is a VBA function that returns a string associated with a particular operating system environment variable. These values are then stored in a sheet called “HostInfo”, preferably cells starting in row 2, column 2.
Installation Seems To Be Ok
Surprisingly, none of these macro codes have anything to do with annual employee reviews. Up until this point, when we first opened the workbook, we only saw a sheet called “Evaluation”, so where is this HostInfo sheet located? There’s no suggestion of a list, so here’s to some fun stuff. Maybe we shouldn’t have run that macro!
Are we sure there are no other leaves? We weren’t sure and when we found the leaves below, there were actually 10 extra leaves hidden from view. Surprisingly, none of them had anything to do with employee evaluations:
Based on the sheet name, local system and Active Directory information should be stored here. Of course, then we had to understand what concrete is
Ms excel application, ms excel sheet, ms excel spread sheet, application vnd ms excel, application vnd ms excel example, ms excel sheet online, application vnd openxmlformats officedocument spreadsheetml sheet, ms excel cheat sheet, job application excel sheet, application of ms excel pdf, ms excel sheet download, ms excel sheet for practice