{
	"id": "4d3d034d-21b7-49ab-9639-094bab677471",
	"created_at": "2026-04-06T00:17:22.467732Z",
	"updated_at": "2026-04-10T03:21:36.283458Z",
	"deleted_at": null,
	"sha1_hash": "2594a10cbd416b28955d9f4067e631254225cf4c",
	"title": "Avaddon ransomware shows that Excel 4.0 macros are still effective",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2534150,
	"plain_text": "Avaddon ransomware shows that Excel 4.0 macros are still effective\r\nBy Ionut Ilascu\r\nPublished: 2020-07-03 · Archived: 2026-04-05 15:49:03 UTC\r\nAvaddon ransomware has been spreading this week via an old technique that's making a comeback, Microsoft cautions on\r\nThursday.\r\nThe attacks appear to be more targeted and rely on malicious Excel 4.0 macros to download the malware directly on the\r\nsystem.\r\nCampaign focused on Italy\r\nThis file-encrypting malware emerged at the beginning of June, delivered \"with a wink and a smile\" in a massive spam\r\ncampaign that did not focus on a particular type of user. Its operators are currently recruiting affiliates for spreading the\r\nransomware payload.\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe encryption routine is solid and files cannot be unlocked for free. A sample analyzed by BleepingComputer asked for a\r\nransom of $900.\r\nMicrosoft Security Intelligence notes that the latest effort from the attacker focused on specific targets mainly in Italy,\r\nsending out emails with documents laced with malicious Excel 4.0 macros.\r\nOne such email found by malware hunter JamesWT_MHT pretends to be a notification from the Labor Inspectorate to a\r\nsmall business regarding work violations during \"a period of crisis.\"\r\nThe subject of the message is alarming, informing the recipient of impending penalties and potential legal action. In the\r\nattachment, there is a ZIP archive named \"Official notification.\"\r\nThe archived document contains an Excel 4.0 macro (XML), which is still compatible with modern software where VBA\r\ncode is used instead.\r\nWhen run, the macro downloads an Avaddon ransomware sample directly, without an intermediary downloader, Microsoft\r\nnotes. This trend has been observed in other file-encrypting malware lately.\r\nUsing old macro bears fruit\r\nChoosing Excel 4.0 macros to spread the malware may seem peculiar, especially since it is was introduced in Microsoft\r\nOffice products 28 years ago. However, Avaddon and numerous other threat actors have started using it recently.\r\nIn the case of Avaddon, this seems to yield results as the ransomware identification website ID Ransomware received a large\r\nnumber of submissions from victims. As seen below, the rise started on June 18 and then again on June 28 and 30, which is\r\nconsistent with Micosoft's observations.\r\n\"While an old technique, malicious Excel 4.0 macros started gaining popularity in malware campaigns in recent months. The\r\ntechnique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures\" - Microsoft\r\nSecurity Intelligence\r\nLaunched in 1992, Excel 4.0 uses XML-based macros that store functions in BIFF (Binary Interchange File Format) records.\r\nThis makes them more difficult to analyze compared to VBA macros that have dedicated streams and that are being used\r\nsince Excel 5.0.\r\nMicrosoft noticed an increase in malicious email campaigns with Excel 4.0 macro over the past few months. Since April, the\r\nattackers started using the Covid-19 theme.\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/\r\nhttps://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shows-that-excel-40-macros-are-still-effective/"
	],
	"report_names": [
		"avaddon-ransomware-shows-that-excel-40-macros-are-still-effective"
	],
	"threat_actors": [],
	"ts_created_at": 1775434642,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2594a10cbd416b28955d9f4067e631254225cf4c.pdf",
		"text": "https://archive.orkl.eu/2594a10cbd416b28955d9f4067e631254225cf4c.txt",
		"img": "https://archive.orkl.eu/2594a10cbd416b28955d9f4067e631254225cf4c.jpg"
	}
}