Malicious SYLK Files with MS Excel 4.0 Macros

Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal.
A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can’t contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 macros.Sample e39a18b4b08059af71b2065fafd8e180 is an example of such a SYLK file.
Since this is a pure text file, you can use a text editor to analyze this malware. Here is partial content of this sample:

You can immediately notice the PowerShell command at the bottom. This command is passed as an argument to the EXEC() function. As its name suggests, the Excel macro function EXEC will execute its argument as a system command.
The EXEC is called in cell R101C1. If you look 3 lines above the “PowerShell line” in the SYLK file, you will notice the string “Auto_open” with a reference to cell R101C1. This assigns the name Auto_open to cell R101C1, which in MS Excel 4.0 macros leads to execution upon opening the file (of course, after a warning is accepted):

The PowerShell command downloads and executes a second PowerShell command from the termbin[.]com paste site.

This second stage downloads a Windows executable (java.exe), which is in fact an instance of the well-known AZORult malware family.

The sample shown above is fairly simple, but some samples will be more difficult to analyse as they contain extra content to obfuscate the executed commands. We have also observed SYLK files with MS Excel 4.0 macros designed to execute shellcode.

Conclusion

If your organisation doesn’t need to share SYLK files via email, we recommend to block them using the following approaches:

• Block files with extension .slk, or blok them by type (SYLK),
• Block files with the ID;P magic bytes at the start of the file. Blocking only by extension is not sufficient, since SYLK files can also be delivered as .xls files. To detect these, check the start of the file: SYLK files start with ID;P.

But please test this: your appliance might detect SYLK files as simple ASCII and not block them.

If you do need to accept SYLK files, then we recommend to reject SYLK files that contain the string Auto_Open or Auto_Close (not case sensitive).

About the authors
Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter and LinkedIn.

Didier will be teaching a class on malicious documents for red teams at BruCON in October.