Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: A malicious word document with a VBA form SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A malicious word document with a VBA form

Malware authors will often hide strings (like URLs) or even a full payload as property values of VBA forms. The stream that contains this information can be easily recognized with, the name ends with /o:

I was given a sample (MD5 1b0fbd5e0af361058a8115b941232e34) where such a stream is particularly large. Looking into the stream (index 15), we see an hexadecimal string starting with 4d5a. That's MZ in ASCII, and most likely a Windows executable.

Sometimes analyzing malicious documents can be rather easy: without looking at the VBA macro code of this sample, you can quickly find the embedded payload. This embedded payload can be easily extracted with

This gives us the MD5 hash of the payload, which can also be found on VirusTotal 5ec10cfc4b29356d1bac2391e596f15f.

This malware was written in Visual Basic 6:

It's always worth to take a quick look at malicious documents with or, sometimes you can get lucky and find the payload without looking at the macros.

There are also several plugins for oledump, that help you automate parts of your analysis. plugin plugin_stream_o is a plugin I created for forms to extract property values:

Didier Stevens
Microsoft MVP Consumer Security


492 Posts
ISC Handler
Apr 16th 2018

Sign Up for Free or Log In to start participating in the conversation!