Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A malicious word document with a VBA form - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A malicious word document with a VBA form

Malware authors will often hide strings (like URLs) or even a full payload as property values of VBA forms. The stream that contains this information can be easily recognized with oledump.py, the name ends with /o:

I was given a sample (MD5 1b0fbd5e0af361058a8115b941232e34) where such a stream is particularly large. Looking into the stream (index 15), we see an hexadecimal string starting with 4d5a. That's MZ in ASCII, and most likely a Windows executable.

Sometimes analyzing malicious documents can be rather easy: without looking at the VBA macro code of this sample, you can quickly find the embedded payload. This embedded payload can be easily extracted with base64dump.py:

This gives us the MD5 hash of the payload, which can also be found on VirusTotal 5ec10cfc4b29356d1bac2391e596f15f.

This malware was written in Visual Basic 6:

It's always worth to take a quick look at malicious documents with oledump.py or olevba.py, sometimes you can get lucky and find the payload without looking at the macros.

There are also several plugins for oledump, that help you automate parts of your analysis. plugin plugin_stream_o is a plugin I created for forms to extract property values:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

219 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!