Last Updated: 2018-04-16 21:29:42 UTC
by Didier Stevens (Version: 1)
Malware authors will often hide strings (like URLs) or even a full payload as property values of VBA forms. The stream that contains this information can be easily recognized with oledump.py, the name ends with /o:
I was given a sample (MD5 1b0fbd5e0af361058a8115b941232e34) where such a stream is particularly large. Looking into the stream (index 15), we see an hexadecimal string starting with 4d5a. That's MZ in ASCII, and most likely a Windows executable.
Sometimes analyzing malicious documents can be rather easy: without looking at the VBA macro code of this sample, you can quickly find the embedded payload. This embedded payload can be easily extracted with base64dump.py:
This gives us the MD5 hash of the payload, which can also be found on VirusTotal 5ec10cfc4b29356d1bac2391e596f15f.
This malware was written in Visual Basic 6:
There are also several plugins for oledump, that help you automate parts of your analysis. plugin plugin_stream_o is a plugin I created for forms to extract property values: