Beginning in January 2020, a campaign was detected that employed advanced obfuscation to evade detection. Using Microsoft Excel hidden sheets, the malicious document is unable to be seen by many detection engines. Speculation is the documents are delivered via social engineering emails. Asking victims to enable editing and content allows the macros contained on the hidden sheets to execute a WinAPI function to download the next stage malware.
The macro worksheet is heavily obfuscated and will start with a number of “RUN” commands that eventually ends with several interesting commands such as “CALL” and “EXEC”.
The macro utilizes the Win32 API function to download the next stage.