{
	"id": "32413345-8175-4d58-884a-b2a4f7775909",
	"created_at": "2026-04-06T01:31:51.203823Z",
	"updated_at": "2026-04-10T03:21:50.28925Z",
	"deleted_at": null,
	"sha1_hash": "1da38c744f19fa5b2e91fede259dada5479a760c",
	"title": "zloader: VBA, R1C1 References, and Other Tomfoolery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 820750,
	"plain_text": "zloader: VBA, R1C1 References, and Other Tomfoolery\r\nBy Published by Jamie\r\nPublished: 2020-06-20 · Archived: 2026-04-06 01:00:03 UTC\r\nThe other day, @reecDeep tweeted about new behavior from zloader documents. Another document from the\r\nsame campaign crossed my path and I decided to take a crack at it.\r\norder_93711.xls\r\nSHA256: B29C145D4B78DAED34DEA28A0A11BAB857D5583DC6A00578A877511D0D01D3D2\r\nURLS:\r\nhttps[:]//wireborg.com/wp-keys.php\r\nhttp[:]//zmedia.shwetech.com/wp-keys.php\r\nhttps[:]//datalibacbi.ml/wp-keys.php\r\nhttps[:]//procacardenla.ga/wp-keys.php\r\nRow and Column References\r\nOne of the first things you may notice is that this document doesn’t have the typical letters designating the\r\ncolumns. Instead, this document is using the R1C1 reference style. This was not done by accident. The Excel 4.0\r\nmacros used throughout this document depend upon this format.\r\nGetting around “Enable content”\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 1 of 7\n\nThe first sticking point was getting the ability to control execution of the macro. This proved to be a bit difficult. If\r\nthe ‘Enable Content’ button is showing up, this means that some macros must exist, right? However, the\r\nVBAProject contents showed both Sheet1 and ThisWorkbook as blank.\r\nSo there were no macros… yet we were still being prompted to enable them. If you did enable them, the macro\r\nwould execute with no opportunity to interrupt anything before the document would close. I decided to add a\r\nsimple macro to the project to see if that would help me control execution.\r\nI noticed that when I saved my changes, the size of the document changed.\r\nOpening the copy while holding down the shift key brought up this security notification. Choosing “Enable\r\nMacros” allowed me to control execution and continue the analysis.\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 2 of 7\n\nFinding the Entry Point – R27455C174\r\nAs this is an XLM 4.0 macro document, the macro commands in the cells will execute sequentially until the\r\ncommands send execution path elsewhere. Possible commands for which to search would be =FORMULA or\r\n=GOTO. I started by searching for =FORMULA. Once I found one, I started to step through the macro code to see\r\nwhat would happen. It took a few tries, but the entry point for this document is R27455C174. From here, you can\r\nright-click that cell and select Run.\r\nWe can also see how this document makes use of the R1C1 notation. From what I understand so far, a positive\r\nnumber means you add that number of rows/cells to the current row/cell, and a negative number means you\r\nsubtract that number of rows/cells to the current row/cell. In this case, it seems that the row being referenced is\r\n51762 rows down and 81 columns to the left. However, I tried going to that cell but found it to be empty. I might\r\nbe missing something obvious, but in the grand scheme of things, knowing exactly how this particular cell works\r\nis more of an academic exercise.\r\nEither way, you could just right-click on the cell, choose Run, Step Into, and then Evaluate a few times get the\r\ncode execution rolling. You’ll see that =GOTO(”) ends up moving you to cell R46304C95.\r\nBLOCK 1 – R46304C95\r\nThis cell is where characters from other cells are assembled into a string. We can see that the first one is\r\n“=CLOSE(FALSE)”. We can continue evaluating all of these until we get to the =GOTO() at the bottom.\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 3 of 7\n\nBLOCK 2 – R48037C63\r\nThat =GOTO() takes us to R48037C63. This cell fills in the cells below with the same string. The commands in\r\nthe following cells take the strings from Block 1 and write them to a new location. For example, let’s look at\r\nR48038C63. It says to take the information in a cell that is 1734 rows up and 32 columns to the right and move it\r\n14892 rows up and 20 columns to the left. This continues on until the =GOTO() at the bottom of this block.\r\nBLOCK 3 – R33147C43 – Evasion checks\r\nThe next block starts at R33147C43. It contains everything that was written above. Let’s analyze it in pieces. The\r\nfirst portion contains the familiar sandbox checks. Notice how if any of those checks fail, you\r\nGOTO(R33146C43). That cell contains =CLOSE(FALSE) which immediately stops execution.\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 4 of 7\n\nA .vbs file is then created in the C:\\Users\\Public folder. The lines in cells 33160-65 are written to that file which is\r\nthen closed.\r\nThe next section executes the .vbs file. This file reads information from the system registry containing\r\nVBAWarnings. The output is returned to the .txt file. The .vbs file is then deleted, the .txt file is opened, read, and\r\ndeleted. If the .txt file contains a 1, go back to =CLOSE(FALSE). If not, check environment. If it has a 32 in the\r\nresults (which it does), GOTO(R13419C196).\r\nBLOCK 4 – R13419C196\r\nThis brings us to yet another series of cells getting assembled into strings. We can step through them as before to\r\nthe =GOTO(”).\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 5 of 7\n\nBLOCK 5 – R28840C118\r\nOnce again, this block takes the strings from above and copies them elsewhere.\r\nBLOCK 6 – R38562C99\r\nAnd finally, we can see the final execution commands in this document. There are four URLs from which to\r\ndownload a file to C:\\Users\\Public\\lxlGZ4A.html and execute it using rundll32.exe. Notice that if it fails the size\r\ncheck, it doesn’t go through the rest of the URLs. Instead, it immediately jumps down to the ALERT message. I’m\r\nguessing this helps to hide the rest of the URLs from showing up in Wireshark or something.\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 6 of 7\n\nCONCLUSION\r\nMany of the sandbox evasion techniques used are the same as before. The added difficulty was the use of\r\n(nonexistent) VBA macros, more ways to disguise the commands being run, and ways to hide the other URLs.\r\nAs always, thanks for reading.\r\nSource: https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nhttps://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/"
	],
	"report_names": [
		"zloader-vba-r1c1-references-and-other-tomfoolery"
	],
	"threat_actors": [],
	"ts_created_at": 1775439111,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1da38c744f19fa5b2e91fede259dada5479a760c.pdf",
		"text": "https://archive.orkl.eu/1da38c744f19fa5b2e91fede259dada5479a760c.txt",
		"img": "https://archive.orkl.eu/1da38c744f19fa5b2e91fede259dada5479a760c.jpg"
	}
}