Here is the VBA code:
It’s just displaying a message box about a problem, and when the user clicks the OK button, it attempts to close Excel. Nothing nefarious here.
And here are the Excel 4 macros:
Launching a PowerShell command. A downloader: that’s nefarious.
This sample might well be a PoC, but it’s great to illustrate that both scripting technologies (ancient Excel 4 macros and old VBA) can coexist in the same document.
When you analyze potential malicious Excel files, it’s best to check both for the presence of Excel 4 macros and VBA code.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.