I often write posts and make videos on malicious document analysis, that I post here and on my blog.

Here is another video on malicious Office document analysis (a .docm file), but with a twist: this maldoc was created with Metasploit module office_word_macro.

.docm files created with this module embed a payload (a Windows executable) as a BASE64 encoded property of the Word document. So it is rather easy to extract the payload: just extract the BASE64 code from the XML file and decode it.

Detecting these documents is not that difficult: this Metasploit module always uses the same VBA code. The ole file that contains the macros, vbaProject.bin, is not modified when it is embedded in a .docx file to create a .docm file.

So it's always the same file, and that makes it detectable. If you are interested, I have YARA rules and ClamAV signatures here.

Of course, these signatures will work with the current version of the Metasploit module, there is no guarantee for future versions.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com