UrbanPro
true

Learn Ethical Hacking from the Best Tutors

  • Affordable fees
  • 1-1 or Group class
  • Flexible Timings
  • Verified Tutors

Search in

Malware Analysis: Analyzing Macros For Payload

Ronit Yadav
21/03/2017 0 0

Hello There !  last night I got a mail from an Unknown source regarding a Credit card which include a Document attachment.
I was Curious that it may be Social engineering attack One of the Popular Attacking vector used by Cybercrooks
So I made a decision to download the attachment and analyze it, I opened that word file in a WindowsVM with MS Office 2010 Installed.
Hell Yeah ! It prompt me to enable Macros, which means that Document Contains Macros.
Basically Macros are VBA script short for Visual Basic for Applications, recording of series of task that we perform frequently.
It’s the simplest form of automation – shows a software program the steps you follow to get something done.

I Logged in my Kali Machine and I started dissecting the Document.
I ran a Python script against that file I got an error.

./macro_dump.py CC_1232017.docm

Hmm! the document is not a legacy binary Microsoft Office file but actually XML-formatted versions of Microsoft Office file(which typically have extensions such as .docx, .xlsx) Basically These files are Compressed
I decompressed the Docx document and got the following file, Seems fine

In this case, the “vbaProject.bin” file contains extracted VB macro code in a binary format.
Again ran the same script against vbaProject.bin, Fantastic! It worked.

./macro_dump.py word/vbaProject.bin

This file contains 2 Macros, The letter M next to stream 3 and 4 indicate that the stream contains VBA macros.
Stream 4 “ThisDocument” it is Global Macros.
Stream 3 “NewMacros” seems a Custom Macros.

Lets check if it contains any URLs in case of a Downloader Malware downloads the EXE from a server.

but it didn’t contains any kind of URLs lets Extract The VBA code in a Separate File and Let Analyze the code.

 

There are few Variable declaration and Auto_Open() function is quite Interesting, It will execute the EXE everytime you open the Document.
More Interesting stuffs like chDrive() i.e Change Drive function which is used to change the Drive and a shell() which is used to run an executable program. But I didn’t found the Binary Executable yet.

I doubt this is the payload string but since its not a downloader it may be possible that the payload data is Embedded in the Document itself.

Hmm! This variable seems Interesting.
Lets open the Word document again in WindowsVM, The whole document was (blank).

Finally I found the Payload Data, the Data was Hidden in the Document File.
To verify the Hypothesis I ran Anti-Meter(Which is used to check Meterpreter Session)and the Infected file was one which I guessed Earlier.

Somehow I got the IP Address of the Attacker.
After Uploading the EXE to VirusTotal the Detection Rate was 7/55.

 

0 Dislike
Follow 0

Please Enter a comment

Submit

Other Lessons for You

The Art of Phishing
Similar to real-life fishing, phishing scams aren’t always best when they rely on advanced tactics, but there are many new techniques motivated by social networks. So what is phishing, and what should...
R

Ramakrishnan Nataraj

0 0
0

Type Of Hacker
There are three types of hacker. white hat hacker(ethical hacker)Grey hat hackerBlack hat hacker What is white hat hacker (ethical hacker)? “Ethical hacker” at parameter security, which...

Internet Ethics For Internet Users
Definition of Computer Ethics Ethics are a set of moral principles that govern an individual or a group on what is acceptable behaviour while using a computer. Computer ethics is a set of moral principles...
R

Ramakrishnan Nataraj

0 0
0

What Is Cyber Crime?
Computer activities carried out by means computer or the internet.Cybercriminals may use computer technology to access personal information, business trade secrets, or use the Internet for exploitive or...
D

Deleted User

0 0
0

Social Engineering
Social Engineering is the art of manipulating human mindset and convincing people to reveal confidential information Factors that make companies vulnerable to Social Engineering Insufficient Security...
X

Looking for Ethical Hacking Classes?

The best tutors for Ethical Hacking Classes are on UrbanPro

  • Select the best Tutor
  • Book & Attend a Free Demo
  • Pay and start Learning

Learn Ethical Hacking with the Best Tutors

The best Tutors for Ethical Hacking Classes are on UrbanPro

This website uses cookies

We use cookies to improve user experience. Choose what cookies you allow us to use. You can read more about our Cookie Policy in our Privacy Policy

Accept All
Decline All

UrbanPro.com is India's largest network of most trusted tutors and institutes. Over 55 lakh students rely on UrbanPro.com, to fulfill their learning requirements across 1,000+ categories. Using UrbanPro.com, parents, and students can compare multiple Tutors and Institutes and choose the one that best suits their requirements. More than 7.5 lakh verified Tutors and Institutes are helping millions of students every day and growing their tutoring business on UrbanPro.com. Whether you are looking for a tutor to learn mathematics, a German language trainer to brush up your German language skills or an institute to upgrade your IT skills, we have got the best selection of Tutors and Training Institutes for you. Read more