Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Tip: Quick Analysis of Office Maldoc InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip: Quick Analysis of Office Maldoc

Published: 2016-02-21
Last Updated: 2016-02-21 18:35:27 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Have you analyzed malicious Office documents with VBA macros? Did they contain a userform? Like this (MD5 4e0c55054c4f7c32aece5cfbbea02846):

Then take a look at the content of the stream with a name that ends with /o:

You can see that it contains a URL.

Sometimes you will analyze the VBA code of malicious documents, but not find the URL. That's because the URL is stored as a property of a userform. The name of the property can be found in the stream with the name that ends with /f:

You can find this property back in the VBA code:

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

Keywords: maldoc
0 comment(s)
Diary Archives