Excel 4.0 macro, also known as XLM 4.0 macro, is a benign record-and-playback feature of Microsoft Excel that was introduced back in 1992. This piece of programming code is a solution to automating repetitive tasks in Excel, but unfortunately, also a covert backdoor to malware delivery.

Like its predecessor, the Visual Basic for Application (VBA) macro, Excel 4.0 macro is increasingly being exploited to store hidden malware. Threat actors can easily weaponize this 30-year-old feature to create new attack techniques as they can obfuscate XML code to conceal the suspicious macros.

What makes this such a pervasive attack vector is that Excel 4.0 macros are an essential formula component of Excel’s core capability. They are used regularly across various business processes and are unlikely to be disabled or deprecated. Because of this, malware authors often sneak a malicious payload via the macro code into an Excel document and deliver it as an email attachment, like they did in the very first macro 4.0 incident.

The First Excel 4.0 Macro Attack

Since the first wave of macro 4.0 attacks in mid-February 2020[1], a large number of cyber criminals have co-opted this technique. It involves an infected sheet with a malicious command hidden in a formula, sent as part of an Excel file attachment.

The attackers use social engineering tactics to lure the target into opening the file. Upon opening, the victim is asked to click the “Enable Editing” button, which enables the malicious macro.


Following the first attack, threat actors continued to leverage this evasion technique to create more attacks, with spikes from May to July 2020[2].

“Very Hidden” Macros

Macros can be stealthily inserted and hidden in an Excel file using obfuscation strategies.

For example, a sheet is set to “Very Hidden”, which means this sheet is not readily accessible via the Excel UI and cannot be revealed without the help of an external tool. Macros hidden in the Excel sheet can be triggered via web query, or they can download malware upon a formula execution. Threat actors leverage this loophole to deliver malicious payloads via file uploads or email attachments and exploit system vulnerabilities to create new attack vectors.

Malware in a hidden Excel sheet

This tactic, paired with fear-based social engineering ploys were leveraged by attackers to gain remote access and run commands on compromised devices. Back in May 2020, the technique was so abused that Microsoft had to warn the public of a COVID-19 phishing campaign[3]. The attackers sent out emails with the subject “WHO COVID-19 SITUATION REPORT”, impersonating John Hopkins Center.

The attached Excel files contain a hidden malicious macro that downloads and runs NetSupport Manager RAT—an administration tool that allows for gaining remote access.

Protect Against Malicious File Uploads

Migrate to VBA

Being aware of these exploits, Microsoft has been encouraging users to shift to Visual Basic for Applications (VBA)[4]. The Antimalware Scan Interface (AMSI) paired with VBA can provide deep scrutinization of the macros’ behaviors in VBA, enabling the system to scan for suspicious macros and other malicious activities at runtime.

Integrate AMSI with Microsoft Office

Microsoft also enables integration of AMSI with Office 365 to include the runtime scanning of Excel 4.0 macros to help detect and block XLM-based malware.

Remove Macro Payloads and All Malware with Deep CDR

Our threat prevention technology assumes all files are malicious, then sanitizes and rebuilds each file, ensuring full usability with safe content by the time it reaches the users. Learn more about how OPSWAT Deep CDR prevents evasive techniques in Excel files and VBA stomping maldoc techniques.

Additionally, OPSWAT allows users to integrate multiple proprietary technologies to provide extra layers of protection from malware. One such example is Multiscanning, which allows users to simultaneously scan with 30+ anti-malware engines (utilizing AI/ML, signatures, heuristics, etc.) to achieve detection rates approaching 100%. Compare this to a single AV engine, which on average can detect only 40%–80% of viruses.

Learn more about OPSWAT Deep CDR, Multiscanning, and other technologies; or talk to an OPSWAT expert to discover the best security solution to protect against Zero-day attacks and other threats from advanced evasive malware.