Maldoc: Excel 4.0 Macros

Published: 2019-03-16
Last Updated: 2019-03-16 22:50:07 UTC
by Didier Stevens (Version: 1)
4 comment(s)

I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.

Excel 4.0 macros predate VBA. When you take a look with, you will notice that these spreadsheets do not contain streams with VBA code:

To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):

When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:

  • There's a hidden Excel 4.0 macro sheet
  • There's a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
  • There's a formula with a call to the EXEC function
  • In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file


Didier Stevens
Senior handler
Microsoft MVP

4 comment(s)


Thank you Didier
Site security training is down ?
You're welcome Netmanzim.

To what site are you referring?
not able to login in, but the site is up and not down, sorry,
login scripts not working maby from my endpoint cookies

Diary Archives