Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.
Figure 1 – Original Email
It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine it with olevba. Yep, we can see that the function enel_Layout is triggered by an ActiveX event and that there is a hidden Excel 4.0 macro sheet. But XLMMacroDeobfuscator doesn’t produce anything and the function enel_Layout doesn’t contain any downloader or dropper functionality. I guess it’s time to manually decode this sample and see what shenanigans we can find.
Figure 2 – olevba
We can see from the olevba dump that all cells containing constants (xlCellTypeConstants) are aggregated together and decoded. Reviewing the dumped VBA code indicates that the decoder simply grabs every 3rd character and adds or subtracts a one, depending on whether the character offset is an even or odd number. We can also see that the decoded code is split on { and each code chunk is executed by calling Revisio to set a specific cell’s Formula to the code chunk and calling gross to run that cell. Also, when the decoded data is fed to Revisio, any com
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
