Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Metasploit's Maldoc SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Metasploit's Maldoc

I often write posts and make videos on malicious document analysis, that I post here and on my blog.

Here is another video on malicious Office document analysis (a .docm file), but with a twist: this maldoc was created with Metasploit module office_word_macro.

.docm files created with this module embed a payload (a Windows executable) as a BASE64 encoded property of the Word document. So it is rather easy to extract the payload: just extract the BASE64 code from the XML file and decode it.

Detecting these documents is not that difficult: this Metasploit module always uses the same VBA code. The ole file that contains the macros, vbaProject.bin, is not modified when it is embedded in a .docx file to create a .docm file.

So it's always the same file, and that makes it detectable. If you are interested, I have YARA rules and ClamAV signatures here.

Of course, these signatures will work with the current version of the Metasploit module, there is no guarantee for future versions.


Didier Stevens
Microsoft MVP Consumer Security


577 Posts
ISC Handler
Nov 6th 2017

Sign Up for Free or Log In to start participating in the conversation!