If the file type is supported by Excel (for example, IQY, SLK), it will show up in Windows with a familiar Excel icon, reducing the likelihood the victim will get suspicious and more likely they will open the file. Once opened with Excel, abusing the DDE (Dynamic Data Exchange) protocol allows easy code execution if enabled on the victim’s. First, we need to export our list to Excel via ListExport to Excel. Open the iqy file in excel. This creates the necessary data connection in Excel which we will examine next. Because this is an external data source we need to Enable the connection.
By: Rob Fisch | Updated: 2010-04-14 | Comments | Related: >SharePoint
Problem
I find it easier to analyze data using Excel. Is there a way to export my SharePointList or Library metadata?
Solution
Yes.
The example below shows a SharePoint list presented in a web part zone addedto a site page. For aesthetics, it is presented with a cleaner look using the 'SummaryToolbar', rather than the 'Full Toolbar'. However, to access the Excel export option,a user must open the full list. This is easy to do by clicking on the web part title,in this case 'Helpdesk Progress'.
The full list shows the full toolbar. Click the 'Actions' menu and then select'Export to Spreadsheet'.
A prompt displays asking to 'Open' or 'Save' the export. For the purposes ofthis article I will save it first, but you can do either.
There is a default file name but I change it to something more meaningful. Thiscan be useful because the export file can be saved and reused by using the exportfile directly in Excel rather than navigating through the SharePoint portal again..
The file is saved with the 'iqy' file extension.
When opening the file in Excel 2007, I get a security prompt which must be enabledto use the file. (Excel 2003 works also...there maybe a different security prompt.)
Results
Here's what the Excel export looks like:
The iqy file is not a static file. The SharePoint data is not stored in the .iqyfile. This is 'Web Query File' and refreshes the SharePoint data every time yourun it. It's a great feature, but don't forget, if you are not connected to thenetwork (and if you don't have permissions) you won't get the data.
If you need to save a snapshot (a point in time) of the SharePoint data you should'Save As' an Excel Workbook (or some other static format). You would also need to'Save As' a workbook if you were sharing information with an external user (i.e.outside the organization).
- Save the .iqy file if you want to rerun the export with fresh data withoutgoing through the 'Export to Spreadsheet' procedure (described above).
- 'Save As' an Excel Workbook, if you need a static copy of the data. Theworkbook will NOT refresh new data. Only the web query (.iqy) file can.
Document libraries can also be exported to Excel, however, the export will notcontain the document. In it's place a link to the document is available.
Next Steps
- Check out these otherSharePoint tips.
Last Updated: 2010-04-14
About the author
Open .iqy File In Excel
View all my tips
Security researchers are warning of a new ransomware campaign using malicious IQY files to spread via phishing emails.
IQY, or Internet Query files, are simple text files read by Excel that work to download data from the web.
Researchers at Lastline observed them being weaponized in attacks designed to spread a new variant of Paradise ransomware.
“This campaign attempts to entice users into opening an IQY attachment, which reaches out and retrieves a malicious Excel formula from the attacker’s C2 server. This formula, in turn, contains a command to run a PowerShell command that will download and invoke an executable,” the vendor explained.
“Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a third-party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs.”
Paradise itself is not new; the variant has been around since 2017. However, this version contains some enhancements designed to improve its ability to evade detection by security filters.
These include use of the Salsa20 crypto routine algorithm, which can be implemented into the malware source code so that there’s no need to call out to a crypto library.
This makes it more difficult for security tools to detect, as many AV tools rely on spotting API calls to detect ransomware. It also makes it harder for analysts to understand exactly what type of encryption is being used, said Lastline.
The researchers tried to get a response from the ransomware support team but received none, indicating the campaign is not fully operational. However, they did ascertain that the ransomware will not activate if the user’s language is Russian, Kazakh, Belarusian, Ukranian or Tatar, which may hint at its origins.
Open .iqy File In Excel 2017 Online
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.