Microsoft Excel provides a feature to its user which allows one to hide worksheets. Worksheet state is “visible” by default which can be changed to “hidden” or “very hidden”. The malicious MS-Excel files are found to be leveraging this feature to hide worksheet carrying malicious Excel 4.0 macro. These old macros have been supported since way back Excel ver.5 (1993) up to Excel 2016, thus Microsoft has been encouraging its users to use the latest version of Microsoft Visual Basic for Application (VBA).
The difference of these malwares from other formula macro malwares is that the spreadsheet is set to "Very Hidden". These are hidden spreadsheets that cannot be unhidden from Excel’s user interface, and requires a 3rd party tool should the user want to unhide it. With the macro being inside the spreadsheet, this cannot be viewed from the VB Macro window.
These files are usually propagated thru spam using socially engineered techniques like citing current events such as the COVID-19 outbreak to grab the receiver’s attention. The download URL structure, technique used, and macro code is similar to that of a campaign that delivered Zloader and URSNIF as a payload. These malicious Excel files are detected by Trend Micro as FORMULOAD and HIDDBOOK.
Infection Chain
Behaviors
- Use of normal Office function to deploy malicious code
- Automatic start of malicious code without user consent
Capabilities
- Download Routine
- Registry Editing
Impact
- Compromised system security - downloads and installs additional malware:
- Exfiltration Over Command and Control Channel
- Remote Command Execution
Indicators of Compromise
Please refer to this document on Excel Files with Hidden Sheets Target Users in Italy .
Solutions Available
| SOLUTION MODULES | SOLUTION AVAILABLE | PATTERN BRANCH | RELEASE DATE | DETECTION/POLICY/RULES |
|---|---|---|---|---|
| WEB REPUTATION | Yes | In the Cloud | ||
| EMAIL PROTECTION | Yes | AS Pattern 5446 | May 27, 2020 | |
| FILE DETECTION (VSAPI/SMART SCAN) | Yes | ENT OPR 15.863.00 | May 11, 2020 | Trojan.XF.FORMULOAD.A Trojan.X97M.FORMULOAD.LJ Trojan.X97M.FORMULOAD.AO Trojan.XF.HIDDBOOK.A |
| ADVANCED THREAT SCAN ENGINE (ATSE) | Yes | 15.863.00 | May 11, 2020 |
Defense against Spam
Spam email is one of the vehicles cybercriminals use to spread malicious files. Users can defend against these types of threats with the following best practices:
- Be wary of downloading attachments or clicking links in emails coming from unfamiliar sources. Hover the pointer over a link to check the link’s URL.
- Check the email address of the sender. If it is unfamiliar or is not linked to a reputed organization, it is best not to perform any action related to the email.
- Watch out for grammatical errors and misspellings in the email body. Emails from legitimate companies are usually well-constructed.
- Keep email addresses and other personal information private. This lessens the chances of receiving spam emails.
Security solutions can also help safeguard against spam and other email-based threats:
- Trend Micro Email Security
- Trend Micro Deep Discovery Email Inspector
Threat Reference Information
- Security News: Analysis: Suspicious “Very Hidden” Formula on Excel 4.0 Macro Sheet
- Security News: Excel Files with Hidden Sheets Target Users in Italy
- Threat Encyclopedia: Trojan.X97M.FORMULOAD.AO
- Threat Encyclopedia: Trojan.XF.FORMULOAD.A
- Threat Encyclopedia: Trojan.XF.HIDDBOOK.A
- Threat Encyclopedia: TrojanSpy.Win32.URSNIF.TIABOEFB
- Threat Encyclopedia: TrojanSpy.Win32.URSNIF.TIABOEEX
- Threat Encyclopedia: Trojan.XF.URSNIF.SM
