UrbanPro
true

Learn Ethical Hacking from the Best Tutors

  • Affordable fees
  • 1-1 or Group class
  • Flexible Timings
  • Verified Tutors

Search in

Malware Analysis: Analyzing Macros For Payload

Ronit Yadav
21/03/2017 0 0

Hello There !  last night I got a mail from an Unknown source regarding a Credit card which include a Document attachment.
I was Curious that it may be Social engineering attack One of the Popular Attacking vector used by Cybercrooks
So I made a decision to download the attachment and analyze it, I opened that word file in a WindowsVM with MS Office 2010 Installed.
Hell Yeah ! It prompt me to enable Macros, which means that Document Contains Macros.
Basically Macros are VBA script short for Visual Basic for Applications, recording of series of task that we perform frequently.
It’s the simplest form of automation – shows a software program the steps you follow to get something done.

I Logged in my Kali Machine and I started dissecting the Document.
I ran a Python script against that file I got an error.

./macro_dump.py CC_1232017.docm

Hmm! the document is not a legacy binary Microsoft Office file but actually XML-formatted versions of Microsoft Office file(which typically have extensions such as .docx, .xlsx) Basically These files are Compressed
I decompressed the Docx document and got the following file, Seems fine

In this case, the “vbaProject.bin” file contains extracted VB macro code in a binary format.
Again ran the same script against vbaProject.bin, Fantastic! It worked.

./macro_dump.py word/vbaProject.bin

This file contains 2 Macros, The letter M next to stream 3 and 4 indicate that the stream contains VBA macros.
Stream 4 “ThisDocument” it is Global Macros.
Stream 3 “NewMacros” seems a Custom Macros.

Lets check if it contains any URLs in case of a Downloader Malware downloads the EXE from a server.

but it didn’t contains any kind of URLs lets Extract The VBA code in a Separate File and Let Analyze the code.

 

There are few Variable declaration and Auto_Open() function is quite Interesting, It will execute the EXE everytime you open the Document.
More Interesting stuffs like chDrive() i.e Change Drive function which is used to change the Drive and a shell() which is used to run an executable program. But I didn’t found the Binary Executable yet.

I doubt this is the payload string but since its not a downloader it may be possible that the payload data is Embedded in the Document itself.

Hmm! This variable seems Interesting.
Lets open the Word document again in WindowsVM, The whole document was (blank).

Finally I found the Payload Data, the Data was Hidden in the Document File.
To verify the Hypothesis I ran Anti-Meter(Which is used to check Meterpreter Session)and the Infected file was one which I guessed Earlier.

Somehow I got the IP Address of the Attacker.
After Uploading the EXE to VirusTotal the Detection Rate was 7/55.

 

0 Dislike
Follow 0

Please Enter a comment

Submit

Other Lessons for You

9 Cybersecurity Trends & Predictions For 2018
The unpleasant cyber attacks of 2017 are still fresh in the minds of the people. To mention a few, they are Wanna Cry, Not Petya, Equifax, and etc. Evidently, the 'Cybersecurity' term which was known...

LAN Attack: ARP Spoofing + MAC flooding + Man in the middle
If the attacker gain access to LAN where the target Server is connected. Then following mechanisms can be combined to attack target web server. MAC spoofing + MAC flooding + ARP Spoofing. MAC spoofing...

Antivirus is not enough. Cyber criminals hate us. We protect from attacks that antivirus can't block. 
Engineering and internet encouraged the conception and development of network indecencies like virus, antivirus, hacking and ethical hacking. Hacking is a practice of adjustment of a computer hardware...

Ethical hacking : Important points for beginners
Dear passionate learners, I am posting lesson to create enthusiasm among you all for learning ethical hacking. A beginner in Ethical Hacking is always in a dilemma. Below are some misconceptions,...
A

Abhay

0 0
0

A Torch for the Green Hats.
How do I become a hacker? I have received this question countless times on formal and informal occasions. I feel the need to put a small sum up on the rules for you. Step 1. Ask yourself the Why. Do...
X

Looking for Ethical Hacking Classes?

The best tutors for Ethical Hacking Classes are on UrbanPro

  • Select the best Tutor
  • Book & Attend a Free Demo
  • Pay and start Learning

Learn Ethical Hacking with the Best Tutors

The best Tutors for Ethical Hacking Classes are on UrbanPro

This website uses cookies

We use cookies to improve user experience. Choose what cookies you allow us to use. You can read more about our Cookie Policy in our Privacy Policy

Accept All
Decline All

UrbanPro.com is India's largest network of most trusted tutors and institutes. Over 55 lakh students rely on UrbanPro.com, to fulfill their learning requirements across 1,000+ categories. Using UrbanPro.com, parents, and students can compare multiple Tutors and Institutes and choose the one that best suits their requirements. More than 7.5 lakh verified Tutors and Institutes are helping millions of students every day and growing their tutoring business on UrbanPro.com. Whether you are looking for a tutor to learn mathematics, a German language trainer to brush up your German language skills or an institute to upgrade your IT skills, we have got the best selection of Tutors and Training Institutes for you. Read more