Since 2014, malicious macros are coming back. And their success in recent campaigns demonstrates that it is still an effective way to deliver malware, sixteen years after Melissa.
This is a presentation that I gave to the SSTIC symposium in June 2015, translated to English. It explains what malicious macros can do, how their code can be obfuscated, and some of the anti-analysis tricks observed in recent cases. Then it shows several tools that can be used to analyze macros, including oledump and olevba.
It is sometimes useful to look for malware samples containing a specific string. For example, you might look for samples sharing similar code to analyze a malware campaign with different targets. Another use case is discovering the original version of a modified file, as described in my article "Unmasking Malfunctioning Malicious Documents".
From time to time, people report strange malicious documents which are not successfully analyzed by malware analysis tools nor by sandboxes. Let's investigate. (this is a follow-up to the post "Malfunctioning Malware" by Didier Stevens)
olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, decode malware obfuscation (Hex/Base64/StrReverse/Dridex) and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, and potential IOCs (IP addresses, URLs, executable filenames, etc). It is part of the python-oletools package.
This article describes the Microsoft Office 97-2003 legacy/binary file formats (doc, xls, ppt), related security issues and useful resources.
This article presents several tools that can be used to extract VBA Macros source code from MS Office Documents, for malware analysis and forensics. It also provides an overview of how VBA Macros are stored.
oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file. It is part of the python-oletools package.
olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file. It is part of the python-oletools package.
Since version 0.32, OleFileIO_PL comes with experimental write features. For now it is possible to write sectors, and to write over an existing stream. More features will be added over time.
This article presents several new open source frameworks meant to simplify static file scanning for malware analysis and incident response: MASTIFF, Viper, IRMA and a few others. Their goal is to provide an extensible framework to integrate many existing scanning tools.