Today we analyze a malicious, VBA Enabled Word Document. The authors of this document have password protected the VBA Project within the file to prevent inspection of the malicious code. They have also taken measures to prevent password removal techniques. Automatic analysis tools do not work, but we show how to get past all these anti-analysis obstacles.
Filename: efax543254456_2156.doc
MD5: 30B9491821923A1ECB5D221A028208F2
Sample: Download Sample
Video Walkthrough
Details
We begin by opening the document and are greeted with a phishing message claiming the document was created with an earlier version of Microsoft Office and in order to view the message we must enable macros.
When we enable macros, the document begins beaconing to a domain (cfai66.fr). To understand why, we must inspect the Macros in the Developer Tab; however, the author has password-protected the VBA project.
Anti-Analysis Techniques
We first tried common hex editing techniques, such as changing "DPB" to "DPx" or replacing "CMG" values. However, the authors intentionally corrupted the CMG field length to break manual replacement attempts.
Standard tools like OfficeMalScanner (scan/brute) and ViperMonkey failed. ViperMonkey specifically failed because it couldn't locate values stored within the password-protected UserForm, a clever technique to halt automated emulation.
Manual Reversing
By tracing the code's logic manually, we determined that for the decoding function to produce characters, the variable UserForm1.T.Top must equal 12. Substituting this value into the debugger allowed us to extract a malicious batch file.
The extracted script downloads a malicious PNG (disguised EXE) from a remote server and executes it. The file is a generic Trojan.
Dropped Files
- i.bat
- npzdi.exe
Network Traffic
cfai66.fr/parabola.png
cfa-noisylegrand.com/parapola.png
Conclusion
This VBA-enabled Word Document used password protection and structural corruption to hinder analysis. After failing with automated tools, manual logic reversing was the only way to uncover the hidden values required to decode the malicious payload.
Happy hunting.