Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.
It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine it with olevba. Yep, we can see that the function enel_Layout is triggered by an ActiveX event and that there is a hidden Excel 4.0 macro sheet. But XLMMacroDeobfuscator doesn’t produce anything and the function enel_Layout doesn’t contain any downloader or dropper functionality. I guess it’s time to manually decode this sample and see what shenanigans we can find.
We can see from the olevba dump that all cells containing constants (xlCellTypeConstants) are aggregated together and decoded. Reviewing the dumped VBA code indicates that the decoder simply grabs every 3rd character and adds or subtracts a one, depending on whether the character offset is an even or odd number. We can also see that the decoded code is split on { and each code chunk is executed by calling Revisio to set a specific cell’s Formula to the code chunk and calling gross to run that cell. Also, when the decoded data is fed to Revisio, any [ is replaced with a J. So let’s dump all cells and start building a decoder. Fortunately, we already have a handy script that uses xlrd to enumerate over all active cells and dump them as a CSV. Ignoring all empty rows leaves us with a single long string of obfuscated data.
If we load this data into python, we can easily iterate over every 3rd character and add or subtract one to each character by converting to an integer with ord and back to an ascii character with chr. Then split on { and replace all [ with J and print each command to stdout.
Well that wasn’t expected. A quick check with a language translation service reveals that the commands are Italian, but closely resemble what we would expect from an XLM macro. After a few minutes in a search engine, we stumble on a site that maps the Excel function names for 14 different languages to their English equivalents. A half hour later on this site, reviewing this reference for XLM macros, and random lookups on a popular language translation service produces the following translation.
Well this was eye opening; who knew that Excel 2007 and earlier had language support for 14 languages for XLM macros / Excel functions. This introduces an interesting potential sandbox evasion tactic.
| IoC Type | IoC Value |
| SHA256 | 2f2d254fe3758b4119f09c4be7b8eba4a041cb469d4331d255ce62e074e1e324 |
| URL | hxxps://certjficazione[.]com |