Maldoc drops DLL and executes via ExecuteExcel4Macro

Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why – it was using ExecuteExcel4Macro to load and execute a hidden DLL.

Looking at the Macros

Using Oledump, several macro streams where identified in this document (17 – 20, 23 – 24).

Output from Oledump

Additionally, it contains a stream OLE 1.0 embedded data (see stream 4 above). This can also been seen in the office document:

OLE embedded object

If you select this document object, it will write it to a temp location within the operating system, usually %USER%\AppData\Local\Temp\<TEMP FILENAME> – you can see the complete path location by right-clicking on the object and selecting Packager Shell Object Object -> Properties. If you inspect this file, you’ll see that it is a “COM executable for DOS” with a size of 606 KB. You might be thinking this is it – our malware, but there’s a little more to go.

Tracing The Macros

As you can see from the OLEDUMP output from above, in addition to the macro streams there are also several user forms (streams ending with an ‘f’ and ‘o’). These are often used to store additional resources needed during execution and will be significant here. The macros begin execution under the WorkBook_Activate function, which is primarily responsible for calling the Show method of one of the user forms.

Beginign of macro execution

This will, in turn, call the corresponding Activate function for that user form. This simply calls another function – NigebrednehC.

User form activation

This function is responsible for all of the significant functionality and we’ll explore some of the highlights here.

Dropping the DLL

The first thing this function does is create strings that represent several locations in the user’s TEMP folder structure.

ofbl is the location where the DLL will be dropped, in this document that was at %USER%/AppData/Roaming/Microsoft/Windows/Templates/rofce.dll. ctackPup will be used to create a copy of itself as paper.xlsx in %TEMP%. ctackPop will be.. Finally, ctackPip is the excel document written at %TEMP% with a .zip file extension.

Once the document has been copied (via function VistaQ and FileCopy), the two copies will be present in the users temp folder.

Copies of the excel document

The next step is to copy the embedded object out of the original spreadsheet. To do this, the macros make use of the structure of the excel document and copies the object directly from paper.xlsx->xl->embeddings->oleObject1.bin to the %TEMP% folder.

Programmatically copying the embedded object

I mentioned that this isn’t quite the payload. The next function to be called is Composition. This will open the file oleObject1.bin (extracted from above) and begin reading the file, it will do this until it encounters the magic bytes for a PE file – 4D and 5A (MZ). Once these bytes are encountered, it reads until the end of the file, ignoring all of the information above. There is the beginning of a PE file closer to the beginning of the stream that doesn’t inlcude the MZ bytes, I suspect this was used as obfuscation.

First evidence of a PE file at offset 0x1CB0
Real DLL located at an offset of 0x4346

Executing the DLL

Finally, the DLL is ready for execution. This is done with a call to ExecuteExcel4Macro, calling the CALL method and providing the path to the DLL for execution.

Executing the macro

This has proven to be a stealthy way of executing code on the host once macros are enabled, as there is no process activity to trace. This can be seen in the following Any.Run activity – in which there is a DNS request from the excel process to get-downloads.com, but no additional/observable process activity through the execution of a Powershell script (or similar).

Sample Information

Excel document on Any.Run
Dropped DLL on VirusTotal