Threat Research

Your Office Document is at Risk – XLL, A New Attack Vector

Securonix

Two office-document threat vectors are described: attackers are moving from VBA macros to malicious Microsoft Office Add-ins, specifically XLLs, to deliver payloads. The article details a Raccoon Stealer V2 campaign that uses obfuscated .NET installers loaded via Excel, downloading a ZIP payload, and anti-debugging tricks to evade analysis. #XLL #RacoonStealerV2 #RacoonStealerCiR #BankStatement1674745402XLL #filesetup_v17.3.4

Keypoints

  • Office macros, once blocked by MOTW, push attackers toward abusing Microsoft Add-ins like XLLs as initial access vectors.
  • Malicious XLL files are often disguised as Excel add-ins and delivered via email attachments, complicating user judgment.
  • Attackers use rundll32.exe to execute the XLL, leveraging Excel’s export functions such as xlAutoOpen to trigger code.
  • The XLL-based loader downloads a ZIP payload from a remote URL and unpacks it using PowerShell, placing files in Temp for execution.
  • The payload includes a heavily obfuscated .NET installer (filesetup_v17.3.4.jpg) with anti-debugging techniques to hinder analysis.
  • Racoon Stealer V2 is described as stealing files (e.g., .ttf, .xml) and waiting to exfiltrate when the CNC server is online; several Quick Heal detections are listed.

MITRE Techniques

  • [T1204.002] User Execution – Malicious XLL/Excel add-ins delivered via email attachments; ‘These files are mainly shared as an email attachment. It is associated with an icon similar to other excel supported file making it hard for end users to distinguish between the original excel file and an add-in file.’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – The XLL is executed explicitly using rundll32.exe with parameters including ‘C:WindowsSysWOW64rundll32.exe C:UsersuserDesktop9009859256BankStatement-1674745402.xll, xlAutoOpen’.
  • [T1059.001] PowerShell – Used to unzip the downloaded ZIP payload: ‘powershell.exe Expand-Archive –Path “C:UsersuserAppDataLocalTempmypictures.zip” -DestinationPath “C:UsersuserAppDataLocalTemp”’.
  • [T1027] Obfuscated/Compressed Files and Information – The filesetup_v17.3.4.jpg/.NET installer is highly obfuscated and includes multiple anti-analysis techniques; ‘This .NET file has 213 methods in it … highly obfuscated.’
  • [T1562.001] Impair Defenses – Anti-debugging and anti-analysis checks at startup, including OllyDbg checks, IsDebuggerPresent, and CheckRemoteDebuggerPresent; ‘OllyDbg is a popular debugger tool … One technique for detecting and preventing debugging using OllyDbg involves checking for the presence of a specific string that is associated with the debugger.’
  • [T1057] Process Discovery/Execution Flow – The payload executes via a defined process flow (e.g., using export functions like xlAutoOpen) to load and run the malicious code. (Quoted content references the execution flow and functions like xlAutoOpen.)
  • [T1557] Virtualization/Sandbox Evasion – The .NET loader employs anti-analysis techniques to hinder reverse engineering and sandboxing. (Quoted: ‘highly obfuscated … to make it more difficult for any researcher to understand the code and logic of the application.’)
  • [T1056] Command and Scripting Interpreter: PowerShell – Used explicitly to unzip and manage payload deployment. (Quoted: ‘powershell.exe Expand-Archive …’)

Indicators of Compromise

  • [IP] context – 160.119.253.242, 160.119.253.36, 45.93.201.114
  • [URL] context – http[:]//160[.]119[.]253[.]36/filesetup_v17.3.4.zip
  • [Malicious DLL File] context – ab06eca36c9e011a149ea1625b8ad3629907b2a418ce10fe039870a3d9928bb0, 9a652f77b9fba07d04e4021d3f533791bdedf4284fbbc007b4c55fea94a46635, 6f74060f131c9034f55349cdeb2b5ebbd73582e6ac9da11c9310892bfdfeba36, 5dfa56596b133d080b770e11783b1763da445dc2fef57fe060c87e7b73012308, 2d9e90155343ba8f8f8e16c80b1dc62227f607c2ba277491c6f8f384bf5e0499, 16522212c1b951ffab57e8f8fa288295cca5d9600e83b74551601246841cae91, 0ec2bb5aad17efc7e1e1d8371b04684957684fec8e73df62bd41320bbf517b13, 4da00e7d529be457c914b085d66f012c070bf6e3f85675303aa41a7689c08c75
  • [Malicious ZIP File] context – 59d2403b99c95a057e43dd25e3d58b66331d130b52c19d2919e7966023ede5f6

Read more: https://blogs.quickheal.com/your-office-document-is-at-risk-xll-a-new-attack-vector/