olevba+mraptor: detect and extract Excel 4 Macros (XLM/XLF) #389
Description
similar to oledump's plugin_biff.
Need to support different formats, which store XLM macros in different ways:
- XLS (BIFF)
- XLSM (XML) => moved to olevba: detect and extract Excel 4 Macros (XLM/XLF) in XLSM #415
- XLSB => moved to olevba: detect and extract Excel 4 Macros (XLM/XLF) in XLSB #416
- SLK => moved to olevba: detect and extract Excel 4 Macros (XLM/XLF) in SLK #417
References:
- https://blog.didierstevens.com/2019/03/15/maldoc-excel-4-0-macro/
- https://blog.didierstevens.com/2018/12/19/updateoledump-py-version-0-0-40/
- http://blog.inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files/
- XLSM: https://twitter.com/DissectMalware/status/1091306980894040072
- XML entity encoding: https://twitter.com/DissectMalware/status/1092003809906384897
- samples: https://twitter.com/i/moments/1080201930448793600
- more samples: https://twitter.com/InQuest/status/1103193630360199168
- https://isc.sans.edu/forums/diary/Maldoc+Excel+40+Macros/24750/
- see interesting keywords page 18 of https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Hegt-MS-Office-in-Wonderland.pdf => should be detected both in XLM and VBA, when ExecuteExcel4Macro is used