A few days ago @kernelv0id asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file format equal to 3. For those who don’t know, the Excel API ‘SaveAs‘ takes a bunch of arguments, including a file name and a file format that we want the file to be saved as. According to this page, number ‘3’ is undocumented.
This triggered my interest so I quickly tested what that saved file may look like. To my surprise, it was just a TAB-separated text file!
This gave me an excuse to write a simple test macro to go and try running ‘SaveAs’ method with all the file formats from 0 to 62:
On Error Resume Next
For i = 0 To 62
If i < 10 Then f = "out\0" & i Else f = "out\" & i
ActiveWorkbook.SaveAs Filename:=f, FileFormat:=i
and cross-referencing the results with the documented file formats, leading me to this final table, sorted by a file format constant.
The TSV, PDF, XPS, are great to see…. Why Microsoft is not documenting these yet?
I believe the Office suite hides a lot of secrets from us. It’s time to start digging!
I recently came across a malware sample that included the following, mysterious string:
There are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023):
The way this string is formed triggered my curiosity – it kinda looked like someone was using this hash on purpose to track the use of their code. So, I googled around and not only found a few more occurrences of this string, but also found a yara rule (PDF warning) that referenced it.
I had to know where it came from.
Due to its length, I obviously suspected it is a SHA1 hash, but couldn’t figure out what secret text was hashed to create it. Eventually, I just asked 🙂
The answer turned out to be pretty simple:
echo "JSON for Modern C++" | sha1sum
Thanks to Niels for revealing the secret 🙂
Two lessons from this little exercise:
- If you don’t know, just ask
- When you write Yara rules, make sure you are not using ‘clean’ strings