Maldoc XLS Invoice with Excel 4 Macros
Last Updated: 2020-04-05 20:20:24 UTC
by Guy Bruneau (Version: 1)
This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to .
Using Didier's oledump.py tool, I checked the spreadsheet using plugin plugin_biff with option -x which show Excel 4 macros:
Next step will be to check for any embeded URL in this XLS document. I'm using plugin_biff's find option -f to see if any URL are embedded in this file:
Unfortunately the embedded URL http[:]]//fikima[.]com/axel[.]exe was taken down soon after receiving this email . I checked Virustotal hash database  and there are no record this file was submitted before the domain was taken down. As a final step, I scanned the file with ClamAV with negative results.
 d5bd8d4a3841d0e6d455ba244be1f4d5 760606.xls
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu
Apr 6th 2020
2 years ago