Today we demonstrate how to quickly triage a malicious Word document rigged with a VBS downloader and obfuscated PowerShell.
Filename: trin594d.doc
MD5: ea677003262604084a6afc3f459dfba3
Sample: Download via Reverse.it
Video Walkthrough
Initial Triage: Hex Header Inspection
We start by dropping the document into a hex editor to inspect the file's header. Even though the extension is .doc, the magic bytes tell a different story.
The file begins with "PK", indicating a ZIP archive. In Microsoft Office terms, this means the document is actually the newer XML-based .DOCX format. By renaming the file to .zip, we can browse its internal structure.
Extracting the VBS Macros
Malicious macros are typically stored in the word\vbaProject.bin file within the archive. Simply opening this binary in a text editor results in illegible garbage. To extract the raw scripts, we use OfficeMalScanner:
officemalscanner.exe ourfile.doc info
Once dumped, the VBS code is heavily obfuscated. Rather than manually de-obfuscating, we can use the built-in Visual Basic Editor (Developer Tab) inside Word to debug it dynamically.
Dynamic Debugging: The Message Box Trick
In the VB Debugger, we set breakpoints where obfuscated strings are concatenated. Since the debugger's variable window often truncates long strings, we can inject a temporary MsgBox(variable_name) line to force the full string into a window.
Pro-Tip: You can't select text in a standard Windows MsgBox, but you can click the window and press CTRL+C to copy its entire content to your clipboard.
Second Stage: PowerShell Analysis
The VBS script eventually calls Wscript.Shell.Run to launch a PowerShell command. This command is usually preceded by a ping command to act as a sleep/delay timer to evade sandbox detection.
By moving the command into PowerShell ISE, we can inspect the final de-obfuscated variable. In this sample, the variable contained several URLs pointing to .php files with an f=# argument. Navigating to these URLs initiated the download of the final executable payloads.
Conclusion
This triage process reveals how malware authors chain multiple layers of obfuscation—from ZIP-based Office formats to VBS macros and finally to PowerShell scripts. Chaining these techniques is one of the most prevalent methods for delivering payloads today. Always verify the source of documents, even if they appear to come from known senders.