FORMULOAD

Malware detected as FORMULOAD and HIDDBOOK are formula macro malware where the spreadsheet is set to VeryHidden. These are hidden spreadsheets that cannot be unhidden from Microsoft Excel's user interface, and requires a third party tool should the user want to unhide it. With the macro being inside the spreadsheet, this cannot be viewed from the VB Macro window.

Microsoft Excel provides a feature to its user which allows one to hide worksheets. Worksheet state is visible by default and can be changed to hidden or very hidden”. FORMULOAD and HIDDBOOK are found to be using this feature to hide worksheet carrying malicious Excel 4.0 macro. These old macros have been supported since Excel version 5 (1993) up to Excel 2016.

These files are usually delivered via spam using social engineering techniques like citing current events such as the Covid-19 pandemic to grab the receiver’s attention. The download URL structure, technique used, and macro code is similar to that of a campaign that delivers Zloader and URSNIF as a payload.

Its routines include:

• Use of normal Office function to deploy malicious code

• Automatic start of malicious code without user consent

It is capable of the following:

• Download Routine

• Registry Editing

It typically follows the infection chain below: