"Very" Hidden sheets in Excel

Using oletool to analyse and detect hidden sheet

Although Microsoft has disabled VBA Macro by default if it comes from external (from the internet) in August. The usage of VBA Excel 4.0 Macro has significantly decreased by 68%.

How to detect hidden sheets

• https://isc.sans.edu/diary/Excel+Maldocs%3A+Hidden+Sheets/25876

• https://clickallthethings.wordpress.com/2020/04/06/covid-19-excel-4-0-macros-and-sandbox-detection/

• https://blog.reversinglabs.com/blog/excel-4.0-macros

• https://www.openoffice.org/sc/compdocfileformat.pdf

The link above already explains very well about this topic, but I want to dig a little bit deeper.

Check the BOUNDSHEET value

The byte value at position 5 in a BOUNDSHEET record defines the visibility of a sheet:

• Visible (0x00)

• Hidden (0x01)

• Very hidden (0x02)

What is BOUNDSHEET anyway? This record contains the name of a sheet in the Excel file along with the sheet type and the position of the sheet within a stream. It looks like this when you use oledump to analyze the excel file

Using oledump's plugin_biff

This plugin will carve the data out of the biff header which it can identify by looking for the biff header which is the first 8 bytes of the file below are BIFF version 5 and its magic compound number (you can check the format of biff header right here https://www.openoffice.org/sc/compdocfileformat.pdf)

# urgh you must install the plugin which calls plugin_biff.py (maybe it has already been installed)
# And also you need to install oledump.py 
# https://blog.didierstevens.com/programs/oledump-py/
oledump.py -p /opt/oledump-files/plugin_biff.py --pluginoptions "-x" sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin | less

The output of the plugin