I often write posts and make videos on malicious document analysis, that I post here and on my blog. Here is another video on malicious Office document analysis (a .docm file), but with a twist: this maldoc was created with Metasploit module office_word_macro. .docm files created with this module embed a payload (a Windows executable) as a BASE64 encoded property of the Word document. So it is rather easy to extract the payload: just extract the BASE64 code from the XML file and decode it. Detecting these documents is not that difficult: this Metasploit module always uses the same VBA code. The ole file that contains the macros, vbaProject.bin, is not modified when it is embedded in a .docx file to create a .docm file. So it's always the same file, and that makes it detectable. If you are interested, I have YARA rules and ClamAV signatures here. Of course, these signatures will work with the current version of the Metasploit module, there is no guarantee for future versions.
Didier Stevens |
DidierStevens 639 Posts ISC Handler Nov 6th 2017 |
Thread locked Subscribe |
Nov 6th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!