Also, the malware authors use various approaches to avoid the insertion of useful information inside the macro source code. A recent article describe some of these techniques.
So I decided to spend some hours and create a program that allows you to:
- Automatically dump all executed macros
- Automatically dump all the strings instantiated during the macro execution
- Automatically dump all the executable dropped by the macro (by string content inspection)
Dump all execute macros
In order to accomplish this task, I had to find the point where the macro source code is read in order to be parsed and executed. After spending some time reversing the VBE7 library I found what seems to be a good point to read the source code:E8 30070000 CALL 7024428B 8BF0 MOV ESI,EAX 81FE C4880A80 CMP ESI,800A88C4 0F84 CD000000 JE 70243C36 81FE 0D9D0A80 CMP ESI,800A9D0D
After the execution of the CALL instruction we have EDX register points to the line of macro source code just read. We have then a good point to intercept the source of the executed macro.
Dump all instantiated strings
To fulfill this point it was necessary to dig a little bit in the OLE Automation concept. After reading a bit more about the OLE Automation I understood that if I was able to dump all the created BSTR objects I have a good amount of information about the inner working of the executed macro. The BSTR string are managed through various functions, one of the most interested one is the SysFreeString method. By intercepting this method I was able to get all the freed strings created during the macro execution.Finally, by inspecting the content of the dumped strings I can recognized what could be a valid PE file.
Test on real word malicious documents
In order to intercept the interested code I used the WinAppDbg python module. MacroInspector is very easy to use, just run the python program and open the malicious WORD document. The MacroInspector will loop forever until a new WINWORD process is found.For all my test I used MS Office 2013, it could happen that for different office version the code to read the macro source may change and then the program it is not able to set the breakpoint.
I decided to try the program with some of the malicious files presented in the Virus Bulletin article. For each sample I executed the macro_inspector program, opened the malicious document, enabled the macro and then closed the document (this last step ensure that events associated with closing action are executed).
Evading macro code extraction I
Hash: 7888b523f6b8a42c8bfad0a2fd02ba6e7837299fbc3d6a2da6bea20f302691f7
By extracting the macros from this document we can notice that no useful information are retrieved. But if we take a look at the dumped strings we can easily identify the following useful information:
String: http:/ String: http:// String: http://w String: http://ww String: http://www String: http://www. String: http://www.s String: http://www.st String: http://www.stu String: http://www.stud String: http://www.studi String: http://www.studio String: http://www.studiop String: http://www.studiopa String: http://www.studiopan String: http://www.studiopane String: http://www.studiopanel String: http://www.studiopanell String: http://www.studiopanella String: http://www.studiopanella. String: http://www.studiopanella.i String: http://www.studiopanella.it String: http://www.studiopanella.it/ String: http://www.studiopanella.it/9 String: http://www.studiopanella.it/9u String: http://www.studiopanella.it/9uh String: http://www.studiopanella.it/9uh8 String: http://www.studiopanella.it/9uh87 String: http://www.studiopanella.it/9uh87g String: http://www.studiopanella.it/9uh87g7 String: http://www.studiopanella.it/9uh87g75 String: http://www.studiopanella.it/9uh87g756from this log it is pretty clear that the macro is trying to decrypt an url.
Evading macro code extraction - II
Hash: e812350f2f84d1b7f211a1778073e14ae52bc3bded8aeac536170361a608f8fa
Even in this case as in the previous one no useful information are contained in the dumped macro source code. But again, if we take a look at the list of extracted strings we can identify very useful information like the following powershell command:
powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAEMAPQBOAGUAdwAtAE8AQgBKAGUAQwB0ACAAUwBZAFMAVABlAG0ALgBO...
Evading payload magic signature check & Certutil abuse
Hash: 562994fcbece64bd617e200485eeaa6d43e5300780205e72d931ff3e8ccb17aa
Same story as the previous one :) This time the macro tries to execute a shell command after decrypting its value as showed in the following log excerpt:
String: cmd /c certut String: cmd /c certutil -decode %TM String: cmd /c certutil -decode %TMP%\\panda.pf String: cmd /c certutil -decode %TMP%\\panda.pfx %TM String: cmd /c certutil -decode %TMP%\\panda.pfx %TMP%\\panda.ex String: cmd /c certutil -decode %TMP%\\panda.pfx %TMP%\\panda.exe & star String: cmd /c certutil -decode %TMP%\\panda.pfx %TMP%\\panda.exe & start %TM String: cmd /c certutil -decode %TMP%\\panda.pfx %TMP%\\panda.exe & start %TMP%\panda.ex String: cmd /c certutil -decode %TMP%\\panda.pfx %TMP%\\panda.exe & start %TMP%\panda.exein the log we can also see a base64 string, that after being decoded present the well know MZ magic value as the first two bytes:
String: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAFBFAABMARAAVwEBAA...
Conclusion
The Macro Inspector is a simple but very useful tool that can really speed up the analysis of Word Document, it is still in its first version, and there is a lot of space for improvement, but I hope that you can find it helpful :)References
- The Journey of Evasion Enters Behavioural Phase - https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/
- WinAppDbg - http://winappdbg.sourceforge.net/
- OLE Automation - https://msdn.microsoft.com/en-us/library/dt80be78.aspx