Scribd
Upload
40 views10 pages

Made by Na3em

The document outlines the analysis of a malicious VBA macro embedded in a Word document, which is designed to execute a JavaScript payload upon opening and closing the document. It details the macro's auto-execution, payload extraction, and malware dropper behavior, highlighting indicators of malicious intent. Various tools such as oleid, olemeta, olemap, olevba, and Oledump.py are recommended for analyzing the Word file and identifying embedded macros.

Uploaded by

fridouane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views10 pages

Made by Na3em

The document outlines the analysis of a malicious VBA macro embedded in a Word document, which is designed to execute a JavaScript payload upon opening and closing the document. It details the macro's auto-execution, payload extraction, and malware dropper behavior, highlighting indicators of malicious intent. Various tools such as oleid, olemeta, olemap, olevba, and Oledump.py are recommended for analyzing the Word file and identifying embedded macros.

Uploaded by

fridouane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Made by Na3em

Contents
Scenario....................................................................................................................... 3
Malicious VBA Macro in Word Document ........................................................................ 4
Start Analyze Word File .................................................................................................. 5
File Type Identification ............................................................................................... 5
Tool: oleid ................................................................................................................. 6
Tool: olemeta ............................................................................................................ 7
Tool: olemap ............................................................................................................. 8
Tool: olevba ............................................................................................................... 9
Oledump.py ............................................................................................................ 10
Scenario
While working as a SOC analyst, you may encounter alerts from the enterprise Endpoint
Detection and Response (EDR) system regarding unusual activity on an end-user machine.
In one instance, a user reported receiving an email containing a DOC file from an unknown
sender. The user subsequently submitted the document for analysis to ensure it does not
pose a security risk.
Malicious VBA Macro in Word Document
This VBA macro, embedded in a Word document, is designed to extract, decode, and
execute a malicious JavaScript payload. The key steps in its operation are:

1. Auto-Execution:

o The macro triggers automatically via AutoOpen() (on document open) and
AutoClose() (on document close).

2. Payload Extraction & Decryption:

o It reads the Word document's binary content and searches for an


embedded hidden payload using a regex pattern.

o If found, it extracts a 16KB payload and XOR-decrypts it with a simple key.

3. Malware Dropper Behavior:

o The decrypted payload is saved as "maintools.js" in


%APPDATA%\Microsoft\Windows.

o The script then executes the JavaScript file using WScript, likely to
download or run further malware.

4. Cleanup & Persistence:

o The macro attempts to delete traces of execution (Kill OBKHLrC3vEDjVL).

o It ensures the document remains saved to avoid suspicion.

Indicators of Malicious Intent:

• Auto-execution with AutoOpen() and AutoClose()


• Obfuscation through random variable names
• XOR-based decryption for hidden payloads
• Writes and executes an external JavaScript file

Conclusion: This is a malicious VBA macro that acts as a dropper for executing
additional payloads, likely part of a macro-based malware campaign (e.g., Emotet,
TrickBot, or other loaders). Disabling macros is recommended to prevent infection.
Start Analyze Word File

File Type Identification


We will use a file identification tool trid to confirm the file type. The output confirms that
the file is indeed a Word document.
Tool: oleid
Oleid is used to extract basic information about the document to get a better
understanding of its structure, as shown below:

• It is not encrypted
• It does contain VBA macros
• It's a Word Document
Tool: olemeta
Olemeta is also used to extract the property information about the streams

Some key information we got from the output is:

• When the document was created / last saved.


• The author's Name.
Tool: olemap
Olemap displays the details about different sectors of the file, as shown below:
Tool: olevba
This is an important tool that is widely used for analysis. Olevba extracts all the VBA objects
it finds within the file and also shares the summary of the suspicious elements it finds, as
shown below:
Oledump.py
Oledump can be used to check if there are any macros embedded in the document
streams. The letter M/m will be mentioned against the object stream, indicating that this
stream is a macro, which needs to be checked

You might also like