Malware Analysis: Analyzing Macros For Payload

Hello There !  last night I got a mail from an Unknown source regarding a Credit card which include a Document attachment.
I was Curious that it may be Social engineering attack One of the Popular Attacking vector used by Cybercrooks
So I made a decision to download the attachment and analyze it, I opened that word file in a WindowsVM with MS Office 2010 Installed.
Hell Yeah ! It prompt me to enable Macros, which means that Document Contains Macros.
Basically Macros are VBA script short for Visual Basic for Applications, recording of series of task that we perform frequently.
It’s the simplest form of automation – shows a software program the steps you follow to get something done.

I Logged in my Kali Machine and I started dissecting the Document.
I ran a Python script against that file I got an error.

./macro_dump.py CC_1232017.docm

Hmm! the document is not a legacy binary Microsoft Office file but actually XML-formatted versions of Microsoft Office file(which typically have extensions such as .docx, .xlsx) Basically These files are Compressed
I decompressed the Docx document and got the following file, Seems fine

In this case, the “vbaProject.bin” file contains extracted VB macro code in a binary format.
Again ran the same script against vbaProject.bin, Fantastic! It worked.

./macro_dump.py word/vbaProject.bin

This file contains 2 Macros, The letter M next to stream 3 and 4 indicate that the stream contains VBA macros.
Stream 4 “ThisDocument” it is Global Macros.
Stream 3 “NewMacros” seems a Custom Macros.

Lets check if it contains any URLs in case of a Downloader Malware downloads the EXE from a server.

but it didn’t contains any kind of URLs lets Extract The VBA code in a Separate File and Let Analyze the code.

There are few Variable declaration and Auto_Open() function is quite Interesting, It will execute the EXE everytime you open the Document.
More Interesting stuffs like chDrive() i.e Change Drive function which is used to change the Drive and a shell() which is used to run an executable program. But I didn’t found the Binary Executable yet.

I doubt this is the payload string but since its not a downloader it may be possible that the payload data is Embedded in the Document itself.

Hmm! This variable seems Interesting.
Lets open the Word document again in WindowsVM, The whole document was (blank).

Finally I found the Payload Data, the Data was Hidden in the Document File.
To verify the Hypothesis I ran Anti-Meter(Which is used to check Meterpreter Session)and the Infected file was one which I guessed Earlier.

Somehow I got the IP Address of the Attacker.
After Uploading the EXE to VirusTotal the Detection Rate was 7/55.