The next two bytes of the BOF record are the length in bytes of the record. Īll versions of BIFF: 5, 7, and 8 begin with the same bytes 0908 which are best seen in the screenshot from OffVis above. The following description of the BOF record is condensed from the specification on pages 43 and 44 of the BIFF specification documentation. The BOF for the particular substream containing the macros, however, is the one to find and parse. The output from this command line tool is shown in Figure 7.įor the purposes of detecting Excel 4.0 macros, the global BOF record as seen above is not the one that is interesting. Lastly, oledump can be used along with the plugin for BIFF parsing to output the bytes for each BOF record in an Excel document. An example of a global BOF record from a BIFF version 8 file is shown in Figure 6.įigure 6: Global BOF Record in BiffView++ The next tool which one can use to parse and view a BOF record is BiffView++. The global BOF record as parsed by OffVis is highlighted in Figure 5.Īs seen above, the BOF record starts with the bytes 0908. A newer version of OffVis is also available on Github, but because it is distributed in binary form and not directly from Microsoft, appropriate caution should be exercised. It is an older Microsoft product which is still available for download. This is a combination hex editor and compound file parser. Each of the various tools that fill this role have pluses and minuses. To get a closer look at exactly what the components of a BOF record are and what they mean, without having to carefully read the specification, one needs to use a tool that has the capability to parse and display the data. In addition to the specification document provided by Microsoft, another great reference is the Library of Congress's file format description of BIFF. The newer compound file basically became a wrapper for the older spreadsheet encoding format. These early Excel magic numbers vary somewhat based on certain features of the file or version of Excel. This progression is shown in Figures 1 through 4, with Figure 4 showing the current magic number for Microsoft compound files: D0CF11E0 A1B11AE1, all shown in Hex Fiend hex editor.įigure 4: BIFF Version 5 and Above Compound File Magic Number This can be seen in the progression of the first eight bytes of the reference Excel documents from Open Office's test document set. When looking back at the earlier file formats for Excel documents, one realizes that the first bytes of the BOF record used to be the "magic number" for these earlier Excel file versions. The specification that this record is a part of is called the Binary Interchange File Format or BIFF. The examination of the BOF record requires some attention to history. Therefore, as a bonus, a method for identifying Excel files from among the other multitude of compound files is also detailed. While conducting this research, it was apparent how hard it can be to differentiate various flavors of Microsoft compound files from one another. There are three basic categories of indicators which can be identified: i) the beginning of file (BOF) record, ii) the boundsheet record, and (iii), a property record found in the document summary information stream. By building off the previous research, what is presented here is a deep dive into how to detect the presence of these macros in an Excel compound file in the first place. Quite a bit of research has been done to extract and analyze the contents of the macros to find payloads and callback URLs. As time went on, many different adversaries adopted this technique. Some of the early adopters of this variation of the technique were found to deliver Zloader and Dridex. This style of macro predates the also commonly abused Visual Basic for Applications (VBA) macros. The Excel 4.0 macros (XLM) feature was introduced in Excel version 4.0 way back in 1992. A multitude of adversaries beginning around February of 2020 have been abusing an old feature of Microsoft Excel as a novel malware delivery method.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |