Here's a rough dump of the macros for these two ZLoader payloads using my tool Macrome. One was first seen on August 8th by Abuse.ch, the other was identified by @jcarndt on August 10th. The files are functionally identical, but there are some minor differences that have probably contributed to signature evasion:
- User defined functions are being passed random arguments - this changes the BIFF record signature entirely. Note that the arguments aren't actually used. In the Aug 8 sample you'd see something like
Formula[GK11912]: EokdmdoLRXOG()
, in the Aug 10 sample we seeFormula[DK4376]: SnJUk(81003)
. That value81003
is used purely to change the look of the invocation on disk - if you were trying to count a bunch of user defined f