Unlocking Excel 4.0 Macro Malware
Вставка
- Опубліковано 5 лют 2025
- Here I show you some super quick and easy techniques to analyse malicious Excel files laden with Excel 4.0 macros. These are sneaky customers; often difficult to analyse and built with sandbox-evasion in mind.
I show you the simple techniques I use when approaching this kind of sample in order to extract the key Indicators of Compromise, and hopefully you'll now feel confident examining these files in your own environment
LINKS
=====
d13ot9o61jdzpp...
THANKS
=======
If you liked the video, please give it a THUMBS UP. If you loved it, please SUBSCRIBE.
FOLLOW
=======
Also, feel free to follow me on / cybercdh .
SAMPLE
=======
Unfortunately in this case I'm unable to share the sample I demonstrated, however, head over to the following URL where you can get yourself many, many others with similar properties:
labs.inquest.n...
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
This level of knowledge will never not be impressive! Thanks for your uploads
That's a very kind comment, appreciate you taking the time to make it.
Interesting as always Colin, I liked that modulo wrap-around on the key.
Thanks! Yep, the modulo operator is something I always look for in an unknown function, super common to see it used in basic encoding / decoding routines like this
A superb demo yet again Colin. With ultra-low detection of these files on VirusTotal and the samples still defeating many sandboxes, these techniques are pure gold!
Thank you; appreciate the support and glad you found the content helpful
God tier skills as always mate and the speed that you do it at is crazy (even when slowing down to explain!). Always learning from your videos 👌
Thanks for your continued support Ste. Always means a lot.
Great video Colin. First time to watch your videos and really impressed! Lots to learn from you I believe
Thanks, glad you enjoyed
Cool Colin, I had to scratch my head a couple times. Then I slowed your video down so I could digest it a little better. I caught some stuff but the majority is Greek to me. Glad your their stopping the bad guy *Cheers*
Thanks man; thanks as ever for taking the time to watch
Great explanation mate! Keep up the videos! Nice one
Thank you for the continued support. It means a lot.
Interesting sandbox checks. Good job man.
Thanks
Thanks =) I always try to make the reversing code to do my job, cause it will make it as author expected =) Some other atacks of this kind were discovered by 360 Thread Intelligance Center. Good luck!
Wow. This is really impressive.
In the zip-structure, i.e. in [content.xml] there are key-words "macro";easy to detect
your videos are awesome. Everything is so well explained.
Glad you like them!
great video colin!
Thanks!
Could you show how to analysis .NET Malware.
This - would like to see an analysis of Agent Tesla.
Or even better and out of the same stable: Formbook. How to extract the C2 config from any .NET malware though, would be invaluable.
Amazing Colin!
So basically we should do our important work in a sandbox :)
Also when I wrote XLS parser for PHP, I was confused about why is there multiple 'macro' types in the format. The docs were for Excel 95, 97-2003 and did not mention explicitly it was Excel 4.0 macros. (For parser I simply ignored macros, ofcourse.)
Sounds like a cool project
But what does it do? Does it download malicious code that it runs? Does it send data to a server?
In this case yes, it aims to download a DLL and run it. In other samples things may be different; the intention here was to show how to determine what it does, not what it actually does.
Thanks.
Great video but slow it down abit lad
Ah yes, obviously
I honestly had to watch on 0.75 speed. You're talking way, way too fast.
This might actually be done intentionally
Keep in mind he does reverse engineering for a living. ***Cough cough watch time***
It’s a ploy to have people watch multiple times and increase my ad revenue. Not.