Extracting malicious VBA

For some reason, macros and VBA still work in Microsoft documents. I understand that somewhere, someone is using these functions, but I view it much like Flash. For every one, legitimate, and good use out there, there's 99 people using it as an exploit. There's better ways to accomplish the same goal.

But that's neither here nor there. I often get samples of these documents asking if it's legitimate or not. There's three tools I use to determin this.

First up, catdoc and unoconv, because I don't like opening things like this even in open office on a linux box. Unoconv will convert any document format supported by OpenOffice to any other document format. We only need it for newer formats, such as docx, which aren't supported by catdoc.

root@kali:~# apt-get install unoconv
root@kali:~# unoconv subpoena.docx
root@kali:~# unoconv -f doc subpoena.docx

The first command, with no flags, will convert the document to a pdf, easy way to see what it actually looks like. The second will convert it to a .doc format which we can use with catdoc.

root@kali:~# apt-get install catdoc
root@kali:~# catdoc subpoena.doc


<module> </module>


Now, if you look at the screenshot of what the PDF looks like, and see the object and module strings in the document, we can realistically stop here. This is a malicious document, end of story.

Lets take it a step further though and see -what- is malicious about this.

Grab oledump from here. Its down at the bottom, just above the comments, newest version as of 22 July 2015 is 0.0.17.

So lets see what is actually contained behind the scenes.

root@kali:~/Desktop/oledump# python oledump.py subpoena.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      9000 '1Table'
  5:     10754 'Data'
  6:       521 'Macros/PROJECT'
  7:        89 'Macros/PROJECTwm'
  8: M    2789 'Macros/VBA/Module4'
  9: M    3568 'Macros/VBA/Module6'
 10: M   14887 'Macros/VBA/ThisDocument'
 11:      5690 'Macros/VBA/_VBA_PROJECT'
 12:       588 'Macros/VBA/dir'
 13:      4148 'WordDocument'

The lines marked with M contain macros, so in this case, 8, 9, and 10. We can look at the contents of these macros with the -v (VBA decompression) and -s (stream) flag. "ThisDocument" is usually the one of interest.

Redirecting this to output makes it much easier to read, but I typically see obfuscated code so there isn't much of a point. In this case we have nearly 300 lines, here's the first 30ish

root@kali:~/Desktop/oledump# python oledump.py -v -s 10 subpoena.doc 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Ajshkhdjakshajs_Open()
End Sub
Sub Nniwjdkqwhdjkqwh_Open()
End Sub
Sub Auto_Open()
End Sub
Sub qwydgqjwgdhjas()
    HQUWDHQWD = "qhwkj hjk2h1 jk21h 3jk12h jk312hk12 h3"
End Sub
Sub Hgyqwdbsnadvas()
    BHQBWD = "nqjwdh 2j1gjhg1 h1h "
End Sub

Once again, we can stop here, and in this case I'm actually going to. We can see that there is something being hidden here and I don't have the time to go trying to de-obfuscate every malicious document that comes by. It may be a good exercise for a day off though.