Tips for Office VBA Macro analysis

E

Eddie Morra

Thread author
So this can be prevented simply by blocking outgoing network connection in Office apps.
If Word can't order pizza, pizza will not come, right?
The macro script might not connect out at all - it really depends on the attackers motives and what they are trying to do. On the bright side, you for sure will have a backup of your data, so in that case... nothing can be done that you aren't going to be capable of undoing at ease.

Unrealistic for home users of course, but if the attacker is specifically targeting you and know your configuration, then they could surpass that network connection limitation to Microsoft Office software through RCE into other running software which isn't blocked from connecting out. Once again... unrealistic unless the attacker is resourceful and the victim is a valuable target, but possible.

Sticking to realistic and probable scenarios, the overall answer is Yes as far as I am concerned.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
Some macros cannot be successfully executed in non-MS Office applications, for example, those with Word.Application or Excel.Application objects or GetObject function. Furthermore, my macros which were automatically run in MS Office, were not automatically run in LibreOffice. They can be run via: Tools >> Macros >> Execute macro ...
Yet, malicious OLE embedded in MS Office documents can be executed successfully also in LibreOffice.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
So this can be prevented simply by blocking outgoing network connection in Office apps.
If Word can't order pizza, pizza will not come, right?
Simple cradles can be stopped by disabling Internet connection to MS Office applications, interpreters, Bitsadmin.exe, etc.
But, there were malware samples in the wild which used the malware code embedded also in the document. The code can be hidden, for example, in the image to avoid AV detection.
 
Last edited:
5

509322

Thread author
Although you need to ENABLE macros, there are all kinds of ingenious social engineering tricks that will motivate the unwitting novice to click here, follow the arrow, click there...
That's what worries me.

You have to select the Enable Macros button. Don't click it ! What is so difficult about that ? There is no ingenious method to it. Either you click Enable Macros or you do not ! A child can understand.

People that get infected by malicious macros do the following:

1. seek out and click unknown stuff online
2. extract and open unknown email attachments
3. open unknown documents
4. see a bizarre, obviously frazzled, incoherent document that screams bogus, but still does as the document asks "Enable Macros"

Quite frankly, if an employee is told to never do that - but they do it anyway, then increasingly they are being fired. As well as sued in civil court for any damages. It's what employers in the U.S. are now doing. And yes, they can do it. And are doing it. People don't listen. People don't follow the rules. OK, well now there are consequences. And that is as it should be.

In this day and age, anyone working with Office and Adobe has to be aware of at least some very basic risks.
 
Last edited by a moderator:
5

509322

Thread author
Some macros cannot be successfully executed in non-MS Office applications, for example, those with Word.Application or Excel.Application objects or GetObject function. Furthermore, my macros which were automatically run in MS Office, were not automatically run in LibreOffice. They can be run via: Tools >> Macros >> Execute macro ...
Yet, malicious OLE embedded in MS Office documents can be executed successfully also in LibreOffice.

Ask 100 people and 99 will reply that any and all malicious macros will work in any document platform that supports macros.

This lack of basic understanding is a big source of needless paranoia.
 
5

509322

Thread author
So this can be prevented simply by blocking outgoing network connection in Office apps.
If Word can't order pizza, pizza will not come, right?

Blocking network activity of interpreters (or sponsors) is in no way sufficient. Heck, I can make a macro use Notepad or MSPaint to download or use something else that is entirely under the radar.

For robust security in Windows, there is no way other than to disable\block stuff for security.

I think\get the impression that you have issues with disabling processes ? That if it is shipped with Windows then it is meant to be there and used ? That line of thinking will get you infected - and Microsoft's security division will be the first to tell you to disable stuff.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
Most of the malicious documents can be dangerous only for the happy clickers. They also do not know what mean the words: macro, OLE, ActiveX, etc.
About half of the average users are happy clickers, anyway.:(
 
Last edited:
5

509322

Thread author
Most of malicious documents can be dangerous only for the happy clickers. They also do not know what mean the words: macro, OLE, ActiveX, etc.

Microsoft can make the VBA module a separate one instead of packaging it with Office by default.

Instead, it comes up with the insanely complex Exploit Guard and other hidden rules as a protection solution.

Microsoft... builder of the nuclear powered mouse trap that will break and irradiate everyone.
 
5

509322

Thread author
Doesn't this have to do mostly with updating data within office files across the internet or just maintaining updated and synced data banks? Grabbing data for presentations or reports and this kind of thing is what I mean. Yes, you can for this just write the app, but MSO does seem to be to be much more powerful to me with this capability in place. Generally, I think this is usually accounting data or sales data that is updated to a main database and from there referenced. So I think MS opened the internet channel to VB.

My question is, why isn't VB more tailored for safe use and use within Office only? By this I mean, why can't there be a secure and usable channel for working with office files via macro across the internet or an intranet that uses a properly refined and limited language? Seems to me there could be correlative software in MSO, also, designed for enforcement of security policy for office documents across an intranet or the internet. This would be "support" and assist with security policy enforcement, but MS obviously doesn't understand the first thing about the corporate work environment and how rigid it really must be. Don't think MS has 5 seconds thought in the securability of MS Office at this point, in spite of the fact that it's a main channel for potential trouble. All of this is strange to me considering the size of MS itself.



By the way, I read of an instance where a company was using office to maintain and monitor the functions of machinery across an entire assembly line. On the surface, I thought it was a kind of a cool idea, but it sure seemed clumsy to me to be using Excel to view data about the machines along the line, knowing the bits I know about Office and macros. They don't run very fast in my experience when operating on an Excel sheet or Word or whatever page. This company I think was updating data every 2 seconds. Working with data that way in Office is dangerous, anyway. You can grab data and it only be partly updated...if you grab it from an updating file. All kinds of weird things can happen.

Before running a questionable macro one thing I guess someone could do would be to take it to Microsoft Answers or StackOverflow and ask what the macro does.

People who manage and run a company are wise to avoid Microsoft Office - if they can. Microsoft Office is one of Microsoft's methods of holding the world hostage. Actually, it can be looked at both ways... anyone who uses Office is only victimizing themselves.
 
5

509322

Thread author
The truth of the matter is that users can put the malc0ders out of business. Instead, it is they who make possible and facilitate the multi-billion dollar per year malc0de industry.

Remove the user as part of the solution, and that solution is destined to be a failure.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
People who manage and run a company are wise to avoid Microsoft Office - if they can. Microsoft Office is one of Microsoft's methods of holding the world hostage. Actually, it can be looked at both ways... anyone who uses Office is only victimizing themselves.
Sadly, it is not as simple as it looks. The companies and Institutions have a lot of old documents and templates, which work well only with MS Office. I worked in the Institution, that tried to use OpenOffice - this experiment was a big mess.
I do not think that macros were introduced for the home users. Microsoft probably wanted to give admins a handy tool for automating document management and leave other Office suites behind. The simplest way was not inventing the safe macro language, but adopting the well known programming language Visual Basic 6.0. That is a way of corporation thinking. They do not think about the customers' security, but about the money.
 
Last edited:
5

509322

Thread author
Sadly, it is not as simple as it looks. The companies and Institutions have a lot of old documents and templates, which work well only with MS Office. I worked in the Institution, that tried to use OpenOffice - this experiment was a big mess.
I do not think that macros were introduced for the home users. Microsoft probably wanted to give admins a handy tool for automating document management and leave other Office suites behind. The simplest way was not inventing the safe macro language, but adopting the well known programming language Visual Basic 6.0. That is a way of corporation thinking. They do not think about the customers' security but about the money.

If you don't want your company to be financially raped, then you do what you must. It is a Soviet proposition - either you do, or you do not. If you do, you live. If you do not, then you die. The ones who do not will be the first to cry when they are compromised.

Yes, legacy stuff is another area where the world victimizes itself.

The buy, set and forget crowd with no money to nor intention of update anything - either willingly or unwillingly, knowingly or unknowingly. They are a menace to us all and place the lot of us at-risk because, remember, they are networked. Connected the same internetwork as we are.

Admins and document management ?

Wut ?

Microsoft has made and packaged protections in Office but, like everything, it is only available to the few and most importantly, of those who can take full advantage - only if they are willing to implement and adhere to them.

Managing Office all by itself at the E3 or E5 level is a full-time occupation.

Trying to secure Windows is - almost - the face of stupidity. And who makes it so difficult ? Why no one other than Microsoft itself.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Maybe you guys could explain what VBS actually is, since we are talking so much about about it. Yeah, it stands for Visual Basic Script, and files of this type open by default with wscript, but... what's it really all about, from a security perspective?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I think\get the impression that you have issues with disabling processes ? That if it is shipped with Windows then it is meant to be there and used ? That line of thinking will get you infected - and Microsoft's security division will be the first to tell you to disable stuff.
I have dozens of processes disabled, and some others monitored. Just trying to understand how things work, as usual...
 
5

509322

Thread author
Maybe you guys could explain what VBS actually is, since we are talking so much about about it. Yeah, it stands for Visual Basic Script, and files of this type open by default with wscript, but... what's it really all about, from a security perspective?

It's quite simple. Like many things shipped with Microsoft products, VBS (document\process automation and management) is abused and a needless security risk because the vast majority of people do not need it.

Same Microsoft story, different product.

Security-wise it is a menace. I'll provide an example that most anyone can grasp and immediately identifies as "this ain't a good idea" - placing an unloaded gun on every street corner in your neighborhood.

The saddest part about Microsoft is that it just won't remove the threat. Instead, it keeps it there and makes the attempted fixes and solutions fiendishly complicated - just adding layer upon layer of complexity onto the already obnoxiously complex pile for developers and users alike.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,474
Maybe you guys could explain what VBS actually is, since we are talking so much about about it. Yeah, it stands for Visual Basic Script, and files of this type open by default with wscript, but... what's it really all about, from a security perspective?
VBScript and JScript are the part of Windows Script Host. The first was rooted in Visual Basic, the second is almost the same as JavaScript. The Windows scripts evolved from batch files (*.bat) through VBScript and JScript to PowerShell. They were all intended for automation of several admin tasks (jobs). So, the malc0der can do the same as the admin can, if he is able to get admin privileges. VBScript (JScript) can manage for example: Windows services, COM interfaces, WMI, shellcode.
This can be used to gather information about the computer, download, execute, and hide malicious code.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top