Symbexcel: Bringing the Power of Symbolic Execution to the Fight Against Malicious Excel 4 Macros

The presentation discusses the use of symbolic execution to analyze and detect macro-based malware threats in Excel.

• Macros are an ongoing and evolving threat that are difficult to analyze and detect accurately due to the set of evasion techniques used in modern malware.
• Symbolic execution provides a way to analyze samples that would otherwise be impossible or very hard to deal with using a concrete diaper skater.
• The presentation provides examples of how the solver backhand works in practice and how it was used to analyze a complex malware sample composed of multiple stages and 2D obfuscation routines.
• The presentation also compares the effectiveness of using a concrete obfuscator versus using SimpExcel, a symbolic execution tool, to de-obfuscate samples.
• The anecdote provided illustrates how the malware at the infection stage downloads a malicious Windows DLL and registers it using the rundlll.exe executable, and how symbolic execution is used to compromise every formula before executing it.

The malware at the infection stage downloads a malicious Windows DLL and registers it using the rundlll.exe executable. The payload is completely symbolic, and every formula needs to be compromised before executing it. If the first download fails, the sample is configured to access a second endpoint in order to download the malicious DLL.

Excel 4.0 (XL4) macros are a popular attack vector for threat actors, as security vendors struggle to play catchup and detect malicious macros properly. These macros provide attackers with a simple and reliable method to gain a foothold in a target network. They represent an abuse of a legitimate feature of Excel and do not rely on any vulnerability or exploit. For many organizations, blacklisting Excel 4 macros isn't a viable solution, and any signature to flag these samples must be precise enough not to trigger on files that leverage this feature legitimately.As XL4 macros represent somewhat 'uncharted territory', malware authors make discoveries daily, pushing the boundaries of this technique and identifying ways to evade detection and obfuscate their code. While Microsoft recently introduced novel mechanisms to monitor the execution of these macros, obfuscation based on environmental checks and time triggers is still challenging.To solve these issues, we developed a novel technique that applies Symbolic Execution to the analysis of Excel 4 macros. Symbolic Execution is a program analysis technique in which the values of inputs to a program are kept abstract (i.e., symbolic). During execution, it is possible to characterize the various paths taken by a program as a set of constraints on the inputs' values. By leveraging solvers, given a particular path, it is possible to automatically derive the inputs necessary to reach a specific point in a program. This "magic" allows, for example, the automated derivation of values that would deobfuscate a specific sample, savings hours of manual work.In this presentation, we introduce a new tool, called Symbexcel, that implements a Symbolic Executor for Excel 4 macros and various plugins that support the analysis of highly obfuscated and evasive malicious samples.