Thursday, 9 April 2020

XLM Hidden Macrosheets used for Evasion

Recently we have observed an increase in the usage of XLM based macro files which use Excel 4.0 macros and hidden macrosheets by attackers. I think threat actors will start leveraging this format even more in the near future. The advantage of using this format for attacks is that they don't use standard VBA macros. Most of the open source OLE VBA tools don't have the capability to extract the macros from them.

On April 9th 2020, I started observing a lot of XLS samples in the wild which used XLM Excel 4.0 hidden macrosheets for performing malicious activities.

This blog is a quick writeup to capture more information about this ongoing campaign.

All the files followed the naming convention: <Person's Name Resume>.xls


Filename: James Johnson Resume.xls
MD5 hash: 18ddf82706bcc79d12d0033df6991271

Filename: William Smith Resume.xls
MD5 hash: 971dcb961e8a894ed395a007965c7408

Filename: Maria Hernandez Resume.xls
MD5 hash: f5cf86e2acd65772a078c73fbbb70429

Interestingly all these samples have a detection of 0 on VT at the time of writing this blog as shown below.

Now, let us look at the macro code.

For the purpose of analysis, we will check the XLS file with MD5 hash: f5cf86e2acd65772a078c73fbbb70429

The contents of the file look like shown below.

It uses Social engineering to ask the user to enable macros so that the content of the file can be viewed. Unlike regular macro based XLS files used in spam campaigns, this one does not have a VBA macro which can be extracted easily.

It uses hidden macrosheets which have to be unhidden manually as shown below.

The macro code itself can be accessed by opening these hidden macrosheets. This an Excel 4.0 macro and the code can be seen in different cells of the worksheet as shown below.

The macro upon execution will connect to the C2 server to download a DLL which will be loaded dynamically using rundll32 to continue the malicious activities.

The network connection and response are shown below:

From whois lookup, it can be seen that the callback domain: was registered on March 26th 2020.

I'll add more details of the campaign as they are discovered in this blog.

Indicators of Compromise

URLs hosting the Zloader DLL:


MD5 hashes of the XLM files:



No comments:

Post a comment