Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Stealth via very hidden Macro Spreadsheets (FORMULOAD and HIDDBOOK)

    • Updated:
    • 15 Oct 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Security All
    • OfficeScan All
    • Trend Micro Email Security 1
    • Platform:
Summary

Microsoft Excel provides a feature to its user which allows one to hide worksheets. Worksheet state is “visible” by default which can be changed to “hidden” or “very hidden”. The malicious MS-Excel files are found to be leveraging this feature to hide worksheet carrying malicious Excel 4.0 macro. These old macros have been supported since way back Excel ver.5 (1993) up to Excel 2016, thus Microsoft has been encouraging its users to use the latest version of Microsoft Visual Basic for Application (VBA).

The difference of these malwares from other formula macro malwares is that the spreadsheet is set to "Very Hidden". These are hidden spreadsheets that cannot be unhidden from Excel’s user interface, and requires a 3rd party tool should the user want to unhide it. With the macro being inside the spreadsheet, this cannot be viewed from the VB Macro window.

These files are usually propagated thru spam using socially engineered techniques like citing current events such as the COVID-19 outbreak to grab the receiver’s attention. The download URL structure, technique used, and macro code is similar to that of a campaign that delivered Zloader and URSNIF as a payload. These malicious Excel files are detected by Trend Micro as FORMULOAD and HIDDBOOK.

Infection Chain

Behaviors

  • Use of normal Office function to deploy malicious code
  • Automatic start of malicious code without user consent

Capabilities

  • Download Routine
  • Registry Editing

Impact

  • Compromised system security - downloads and installs additional malware:
    • Exfiltration Over Command and Control Channel
    • Remote Command Execution

Indicators of Compromise

Please refer to this document on Excel Files with Hidden Sheets Target Users in Italy .

Details
Public

Solutions Available

SOLUTION MODULESSOLUTION AVAILABLEPATTERN BRANCHRELEASE DATEDETECTION/POLICY/RULES
WEB REPUTATIONYesIn the Cloud  
EMAIL PROTECTIONYesAS Pattern 5446May 27, 2020 
FILE DETECTION
(VSAPI/SMART SCAN)
YesENT OPR 15.863.00May 11, 2020Trojan.XF.FORMULOAD.A
Trojan.X97M.FORMULOAD.LJ
Trojan.X97M.FORMULOAD.AO
Trojan.XF.HIDDBOOK.A
ADVANCED THREAT SCAN ENGINE (ATSE)Yes15.863.00May 11, 2020 

Defense against Spam

Spam email is one of the vehicles cybercriminals use to spread malicious files. Users can defend against these types of threats with the following best practices:

  • Be wary of downloading attachments or clicking links in emails coming from unfamiliar sources. Hover the pointer over a link to check the link’s URL.
  • Check the email address of the sender. If it is unfamiliar or is not linked to a reputed organization, it is best not to perform any action related to the email.
  • Watch out for grammatical errors and misspellings in the email body. Emails from legitimate companies are usually well-constructed.
  • Keep email addresses and other personal information private. This lessens the chances of receiving spam emails.

Security solutions can also help safeguard against spam and other email-based threats:

  • Trend Micro Email Security
  • Trend Micro Deep Discovery Email Inspector

Threat Reference Information

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000277835
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.