Analyzing a macro enabled office file.

Hi! So if you’re using Microsoft Office and you been around for quite a while. You probably heard about Macros?

But what are actually Macros and what can we do with them?

Taken from the official Microsoft documentation.

A macro is a series of commands that you can use to automate a repeated task, and can be run when you have to perform the task. This article has information about the risks involved when you work with macros, and you can learn about how to enable or disable macros in the Trust Center.

Now now, NEVER skip the advisories or warning parts.

Warning: Never enable macros in an Office file unless you’re sure what those macros do. Unexpected macros can pose a significant security risk. You don’t have to enable macros to see or edit the file; only if you want the functionality provided by the macro.

So basically, we can use Macros to do some cool stuff. Like, whenever I open this office file, I want it to download a file from a server. You can do that with the power of Macros.

If a file comes with macros, the file extension should end with .docm,pptm and such other office extensions.

Macros are disabled by default in Office applications, but this doesn’t stop users from clicking the Enable Content which is on top of the bar.

Where Things Goes Wrong

Well if you’re a good guy, then you probably won’t do stupid stuff with it.

But for a malicious hacker? To write Macros you simply write it in VBA which is a programming language used for Microsoft Office applications.

They can simply make a script where whenever you open the office file, it’ll download malicious stuff! Sounds scary doesn’t it.

Now let’s take a look at a room on TryHackMe which showcases this.

Malicious Or Not?

So the room I’ll be showcasing is MrPhisher a free room on TryHackMe.

So we have a machine that we can use to analyze it or we can just download it and do it on our box. I decided to download it since I have a VM specifically for malware.

A macro enabled office file looks like this and ends with m!

Before beginning analysis, we should have some artifacts for this file like the hash of the file.

db80aedb3d20086e0976d8797547ef44 MrPhisher.docm

Analysis

Now let’s get down to business. Let’s open the file first but don’t click Enable Content!

As long as you don’t enable content we should be fine..

Static Analysis

Now let’s start using various tools to analyze the files.

I like to refer to this cheatsheet by Lenny Zelster, it showcases all tool you can use to analyze malicious files.

To start simple, let’s use olevba which will locate and extract macros from the file.

olevba MrPhisher.docm
We see some interesting code.

Okay so olevba were able to extract the Macros, so now we have the VB code of the macro.

We see that it’s declaring an array and uses the size of it in a for next statement. We get each character representation of the integer after we XOR the array at index i with the value of i and finally we append it to b. This might not make a lot of sense but you’ll understand when we run it. The value of i will increment on the Next statement.

Dynamic Analysis

So now we can either write a python script to try and mimic the behavior of the code. Or easier, we can just run the VB code with some changes. To run the code, I simply just use an online VB compiler.

We change a bit of it’s code to make it run

And if we run it, we can see that if we print out the variable b we’ll get a flag!

Conclusion

Since this is just a practice lab on TryHackMe, they were no malware or malicious intent done by the macro file. But if it’s a legit malicious file and you clicked enable content. The macro would run and it will do some terrible stuff to your PC, who knows if they’ll download ransomware, crypto miners or even a trojan.

So to be safe, always be cautious when dealing with Macros enabled file, even if it comes from a trusted person.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking