In this how-to we will go through the steps to create a macro-embedded Word document, extract the files, and then analyze them for malicious content. In the wild, this is a common way to distribute malware.
To start we will create an embedded macro that will run when the document is opened and download an image from the Internet.
Create a new Word document
Alt + F11 to open the VBA editor
Copy and paste the below code substituting the URL to your image or file and your local path.
Sub Document_Open()
Dim myURL As String
myURL = “<Full URL to your image or file>”Dim WinHttpReq As Object
Set WinHttpReq = CreateObject(“Microsoft.XMLHTTP”)
WinHttpReq.Open “GET”, myURL
WinHttpReq.sendIf WinHttpReq.Status = 200 Then
Set oStream = CreateObject(“ADODB.Stream”)
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
oStream.SaveToFile “C:\<Complete path>\logo.png”, 2 ‘ 1 = no overwrite, 2 = overwrite
oStream.Close
End IfEnd Sub
Save the file as a macro enabled document (.docm)
To extract the individual files that make up an Office document, like the xml and bin files, simply rename your file extension to .zip and then extract the files with your favorite archive utility.
You should see something similar to this:
The docProps folder has some interesting files that contain valuable info when analyzing potentially harmful files, especially the app.xml file. It contains things such as the total editing time, pages, words, characters, etc. A large file with very little content should be examined carefully.
We are after the vbaProject.bin file, which is located in the word folder. This file contains the vba code that is our macro. To view the content of the bin file and analyze it, we need to use a tool such as olevba which is part of oletools.
I am using REMnux in a locked down VM to analyze the file. Running olevba.py -c vbaProject.bin, you can see that olevba easily extracted and showed us the embedded vba code.
Further analysis of the bin file using olevba.py -a vbaProject.bin shows us that it has correctly identified the suspicious content.
Typically the macro code is heavily obfuscated and must be further analyzed to determine the full extent of the code and what it is doing.
Hopefully this quick intro to extracting and analyzing embedded Word macros with oletools helped. If you have any questions or comments please ask.