E
Eddie Morra
Thread author
Hiya
I noticed that there isn't a discussion thread for malware analysis on Office VBA Macro's yet... maybe it is time we started one. It could be really helpful to other members of the community if people contribute to this discussion because malicious Microsoft Office documents are incredibly prevalent in the wild (one of the most loved deployment methods by malware spreaders in the current era we live in) and most of the time, it's going to be a malicious macro script instead of an RCE vulnerability being used to gain code execution on the machine.
I'll start us off with one dynamic tip...
1. Start the Microsoft Office software the malicious document is for (e.g. msword.exe).
2. Break-point on / use API Monitoring on NtCreateProcess (NTDLL), NtCreateProcessEx (NTDLL) and NtCreateUserProcess (NTDLL).
3. If the malicious macro script attempts to spawn a process, your break-point/API monitoring hook will be triggered.
You can then check the arguments for the API call to determine the image file name of the target to be executed (as well as command-line information).
This trick can be helpful to dynamically analyse whether the script has dropped any PE's to disk and is trying to initiate usage of them (e.g. rundll32.exe to work a dropped DLL, spawn a new process for a dropped executable, etc.) or is trying to move to another script interpreter like PowerShell.exe.
This thread doesn't need to be a full-on analysis discussion, but it could be used to exchange quick tips which will help others when analysing Microsoft Office documents. I'm sure other members like @Andy Ful will have some tips to share when it comes to deobfuscation of scripts!
Ciao
I noticed that there isn't a discussion thread for malware analysis on Office VBA Macro's yet... maybe it is time we started one. It could be really helpful to other members of the community if people contribute to this discussion because malicious Microsoft Office documents are incredibly prevalent in the wild (one of the most loved deployment methods by malware spreaders in the current era we live in) and most of the time, it's going to be a malicious macro script instead of an RCE vulnerability being used to gain code execution on the machine.
I'll start us off with one dynamic tip...
1. Start the Microsoft Office software the malicious document is for (e.g. msword.exe).
2. Break-point on / use API Monitoring on NtCreateProcess (NTDLL), NtCreateProcessEx (NTDLL) and NtCreateUserProcess (NTDLL).
3. If the malicious macro script attempts to spawn a process, your break-point/API monitoring hook will be triggered.
You can then check the arguments for the API call to determine the image file name of the target to be executed (as well as command-line information).
This trick can be helpful to dynamically analyse whether the script has dropped any PE's to disk and is trying to initiate usage of them (e.g. rundll32.exe to work a dropped DLL, spawn a new process for a dropped executable, etc.) or is trying to move to another script interpreter like PowerShell.exe.
This thread doesn't need to be a full-on analysis discussion, but it could be used to exchange quick tips which will help others when analysing Microsoft Office documents. I'm sure other members like @Andy Ful will have some tips to share when it comes to deobfuscation of scripts!
Ciao