Last Updated: 2017-11-06 22:42:32 UTC
by Didier Stevens (Version: 1)
I often write posts and make videos on malicious document analysis, that I post here and on my blog.
.docm files created with this module embed a payload (a Windows executable) as a BASE64 encoded property of the Word document. So it is rather easy to extract the payload: just extract the BASE64 code from the XML file and decode it.
Detecting these documents is not that difficult: this Metasploit module always uses the same VBA code. The ole file that contains the macros, vbaProject.bin, is not modified when it is embedded in a .docx file to create a .docm file.
So it's always the same file, and that makes it detectable. If you are interested, I have YARA rules and ClamAV signatures here.
Of course, these signatures will work with the current version of the Metasploit module, there is no guarantee for future versions.