Cofense Logo - Email Security Solutions

Internationalized Programming Languages

Share Now


Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.

Original Email

Figure 1 – Original Email

It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine it with olevba. Yep, we can see that the function enel_Layout is triggered by an ActiveX event and that there is a hidden Excel 4.0 macro sheet. But XLMMacroDeobfuscator doesn’t produce anything and the function enel_Layout doesn’t contain any downloader or dropper functionality. I guess it’s time to manually decode this sample and see what shenanigans we can find.



Figure 2 – olevba

We can see from the olevba dump that all cells containing constants (xlCellTypeConstants) are aggregated together and decoded. Reviewing the dumped VBA code indicates that the decoder simply grabs every 3rd character and adds or subtracts a one, depending on whether the character offset is an even or odd number. We can also see that the decoded code is split on { and each code chunk is executed by calling Revisio to set a specific cell’s Formula to the code chunk and calling gross to run that cell. Also, when the decoded data is fed to Revisio, any com

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.