I often write posts and make videos on malicious document analysis, that I post here and on my blog.
.docm files created with this module embed a payload (a Windows executable) as a BASE64 encoded property of the Word document. So it is rather easy to extract the payload: just extract the BASE64 code from the XML file and decode it.
Detecting these documents is not that difficult: this Metasploit module always uses the same VBA code. The ole file that contains the macros, vbaProject.bin, is not modified when it is embedded in a .docx file to create a .docm file.
So it's always the same file, and that makes it detectable. If you are interested, I have YARA rules and ClamAV signatures here.
Of course, these signatures will work with the current version of the Metasploit module, there is no guarantee for future versions.
Nov 6th 2017
2 months ago