Documenting the undocumented – Excel’s SaveAs method…

A few days ago @kernelv0id asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file format equal to 3. For those who don’t know, the Excel API ‘SaveAs‘ takes a bunch of arguments, including a file name and a file format that we want the file to be saved as. According to this page, number ‘3’ is undocumented.

This triggered my interest so I quickly tested what that saved file may look like. To my surprise, it was just a TAB-separated text file!

A-ha.

This gave me an excuse to write a simple test macro to go and try running ‘SaveAs’ method with all the file formats from 0 to 62:

Sub x()
   On Error Resume Next
    For i = 0 To 62
       If i < 10 Then f = "out\0" & i Else f = "out\" & i
       ActiveWorkbook.SaveAs Filename:=f, FileFormat:=i
    Next i
End Sub

and cross-referencing the results with the documented file formats, leading me to this final table, sorted by a file format constant.

The TSV, PDF, XPS, are great to see…. Why Microsoft is not documenting these yet?

I believe the Office suite hides a lot of secrets from us. It’s time to start digging!

Week of Data Dumps, Part 7 – registry

This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there is Linux, but in reality, lots of DFIR is still living inside the Microsoft world.

My 3R page lists a lot of interesting Windows Registry artifacts that I automagically pulled from Harlan Carvey’s regripper.

The file linked to this post shows a few more, either properly attributed… or not. After all, who has the TIME for all the analysis?!!! Still, hopefully it’s useful to some…