SANS ISC shares several links for increased attacks using out-dated Excel techniques from 1990s.  Malware authors are using Excel 4.0 XML macro based scripting from it’s earliest days to evade detection by AV security software. Very old & out-dated technologies are supported by newer versions of Excel on a “compatibility” & legacy basis. Using these old standards as a delivery mechanism might allow viruses to pass thru detection filters as AV vendors cannot program for every possible scenario.

Excel 4.0 (1992) was last version to use XLM macro based scripting. XLM was the default macro language for Excel through Excel 4.0. Beginning with version 5.0 Excel recorded macros in VBA. We’ve been seeing quite some malicious Excel files with Excel 4 macros lately. A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm). Password protected .xls files are not completely encrypted.