{"id":8739,"date":"2023-09-21T22:37:46","date_gmt":"2023-09-21T22:37:46","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8739"},"modified":"2023-10-03T12:53:29","modified_gmt":"2023-10-03T12:53:29","slug":"documenting-the-undocumented-excels-saveas-method","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/09\/21\/documenting-the-undocumented-excels-saveas-method\/","title":{"rendered":"Documenting the undocumented &#8211; Excel&#8217;s SaveAs method&#8230;"},"content":{"rendered":"\n<p>A few days ago <a href=\"https:\/\/twitter.com\/albertzsigovits\">@kernelv0id<\/a> asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file format equal to 3. For those who don&#8217;t know, the Excel API &#8216;<a href=\"https:\/\/learn.microsoft.com\/en-us\/office\/vba\/api\/excel.workbook.saveas\">SaveAs<\/a>&#8216; takes a bunch of  arguments, including a file name and a file format that we want the file to be saved as. According to this <a href=\"https:\/\/learn.microsoft.com\/en-us\/office\/vba\/api\/excel.xlfileformat\">page<\/a>, number &#8216;3&#8217; is undocumented.<\/p>\n\n\n\n<p>This triggered my interest so I quickly tested what that saved file may look like. To my surprise, it was just a TAB-separated text file!<\/p>\n\n\n\n<p>A-ha.<\/p>\n\n\n\n<p>This gave me an excuse to write a simple test macro to go and try running &#8216;SaveAs&#8217; method with all the file formats from 0 to 62:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Sub x()\n   On Error Resume Next\n    For i = 0 To 62\n       If i &lt; 10 Then f = \"out\\0\" &amp; i Else f = \"out\\\" &amp; i\n       ActiveWorkbook.SaveAs Filename:=f, FileFormat:=i\n    Next i\nEnd Sub\n<\/pre>\n\n\n\n<p>and cross-referencing the results with the documented file formats, leading me to this <a href=\"https:\/\/hexacorn.com\/d\/list.csv\">final table<\/a>, sorted by a file format constant.<\/p>\n\n\n\n<p>The TSV, PDF, XPS, are great to see&#8230;. Why Microsoft is not documenting these yet?<\/p>\n\n\n\n<p>I believe the Office suite hides a lot of secrets from us. It&#8217;s time to start digging!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few days ago @kernelv0id asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/09\/21\/documenting-the-undocumented-excels-saveas-method\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,21],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8739"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8739"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8739\/revisions"}],"predecessor-version":[{"id":8769,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8739\/revisions\/8769"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}