Experience Level required: beginner
In this blog we will Learn how to analyze MS Office Macro enabled Documents.
Let’s see the sample in Virus Total
37 of 63 security vendors detected this file as malicious.
Let’s open the file.
It uses a social engineering technique to persuade the user to enable the macros that lead to the infection of the user.
Let’s see the macro code of the sample, I’ll use olevba
It has many suspicious functions, It also has base64 strings
Let’s dump the macro code to a file to see it better
Let’s view the dumped file with notepad ++ (you can view it with any text editor software)
This function concatenates two strings, then reverses the result string and assigns it to Prefix3.
I’ll use this python script to reverse the string
Prefix3 =
Let’s go to the next function
The function concatenates 8 base64 encoded strings and assigns it to Prefix2.
I’ll use cyberchef to decode the strings
Prefix2 =
Let’s go to the next function
It concatenates strings
Prefix1 =
Let’s go to the last function
It concatenates Prefix1, Prefix3 and Prefix2 and print the result in a .bat file named “Bixkcozkkemqyslgmpvwuri.bat” then it runs the file
The resulted .bat file will be:
This script runs powershell script to download file from “hxxps[://]www[.]qqqformula[.]co[.]za/works/RICH[.]pif” to the current user’s AppData directory with name “Ktaqftbffhqhoxzyblssi.exe” and executes it.
32 of 60 security vendors detected this file as malicious.
Let’s open the sample
It also employs a social engineering technique to convince the user to enable macros, which then leads to the user being infected.
Let’s see its macro code
It uses wscript language and base64 encoding
Let’s dump it to file
Let’s try to decode this strings
This powershell script is downloading a file from “hxxp[://]suyashcollegeofnursing[.]com” to temp directory with name “jfcbvept.exe” then it starts it
CreateObject(“Wscript.Shell”) return is assigned to zKShMevSa
So zKShMevSa acts like Wscript.Shell and zKShMevSa.Run = Wscript.Shell.Run.
It’s clear now Wscript.Shell.Run executes the powershell script that downloads the malware from “hxxp[://]suyashcollegeofnursing[.]com” to temp directory with name “jfcbvept.exe” then it executes it.
This blog is authored by Mostafa Farghaly(M4lcode).
Source: https://blog.cyber5w.com/Analyzing-Macro-Enabled-Office-Documents.html