Video: Strings Analysis: VBA & Excel4 Maldoc
I did record a video for my diary entry "Strings Analysis: VBA & Excel4 Maldoc", showing how to use CyberChef to analyze a maldoc.
If you are intested in CyberChef, I have more CyberChefs videos here.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
Strings Analysis: VBA & Excel4 Maldoc
Malware analysis is difficult.
But there is one method that everybody can follow, even without command-line skills: strings analysis.
This method consists of running a tool on a binary file, like a maldoc, to extract all plaintext strings. There are command-line tools to do this, and even GUI tools.
Of course, there are many ways to make strings analysis impossible, by making the plaintext strings unreadable. Simple file compression is an example.
Xavier's diary entry "Excel Recipe: Some VBA Code with a Touch of Excel4 Macro" malicious document uses a sophisticated method: it combines VBA and Excel 4 macros to download Qakbot. Despite this complexity, strings analysis can be performed on this maldoc to find the URLs.
I found a similar maldoc on VirusTotal (it's also on Malware Bazaar).
For this diary entry, I will analyze this maldoc with CyberChef:
First step: I add the maldoc as input:
Second step: I search for the strings operation:
Third step: I add the strings operation to the recipe:
If I browse through the output, I will find the URLs. But I want to automate that too.
Fourth step: I search for the regex operation:
Last step: I add the regex operation to the recipe, and configure it to use the buildtin URL regex and output matches only:
Now, these URLs are actually incomplete. The maldoc's script will add a path to these URLs that is a timestamp terminated with ".dat".
But despite that, the IPv4 addresses we found here, are good IOCs to get started.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
If you have more information or corrections regarding our diary, please share.
Recent Diaries
Keep an Eye on Your Users Mobile Devices (Simple Inventory)
Sep 24th 2021
1 day ago by Xme (0 comments)
Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
Sep 23rd 2021
2 days ago by Xme (0 comments)
An XML-Obfuscated Office Document (CVE-2021-40444)
Sep 22nd 2021
3 days ago by DidierStevens (0 comments)
A First Look at Apple's iOS 15 "Private Relay" feature.
Sep 21st 2021
4 days ago by Johannes (0 comments)
#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports.
Sep 20th 2021
5 days ago by Johannes (0 comments)
Video: Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 19th 2021
6 days ago by DidierStevens (0 comments)
Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 18th 2021
6 days ago by DidierStevens (0 comments)
Latest Discussions
Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)
API port data
created Apr 25th 2021
5 months ago by JJ (1 reply)
RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)
Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by bas.auer@auerplace.nl (0 replies)
port_scan issue in Snort3
created Feb 23rd 2021
7 months ago by astraea (0 replies)
Latest News
Top Diaries
"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
2 months ago by Johannes (0 comments)
Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)
DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)
Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)
An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)
https://www.sans.edu
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
Make the web a better place by sharing the SANS Internet Storm Center with others
