We currently observe a spam campaign that delivers MS Office 2007 Open XML document attachments containing a malicious VBA macro.
This file format is basically a Zip archive encapsulating a set of XML files. The email attachments are trojan downloaders that load a malicious binary from a presumably hacked website and execute them on the victims’ machines. This post will show how to get the malware samples by statically analyzing the documents of the spam campaign.
The first step is to extract the VBA code from the document, which can be done with olevba from the oletools . This tool deflates the document, analyzes its data streams, and extracts the VBA macros. Olevba is also useful to get first hints regarding the maliciousness of the used VBA elements, as shown below:
From this analysis we can already guess that the macro is executed via the AutoClose method, once the document is closed. We will confirm this later by looking at the VBA code.
The extracted VBA code is obfuscated to hide its purpose. All variables and functions are named after animals or landscapes. The following code snippet tries to hide a WScript.Shell call by aggregating a string:
Furthermore, the code is bloated with garbage methods, that either have no functionality, or just wrap around atomic VBA methods like RTrim, Asc, Len, Mid, AscB, or ChrW to obfuscate them. Deobfuscation can reveal the real purpose of the code. As the macros are rather short with around only 60 lines of code, it is possible to deobfuscate the most parts statically by hand by refactoring unnecessary function calls and removing the garbage bloating, as in this example:
It is easier to analyze the atomic VBA function calls dynamically to get the correct return values. The execution of VBA snippets can easily be done with the Visio editor , which is part of Microsoft Word (Open Word and search for it). When testing this method, always take some precautions and only run the code snippets on a disconnected analysis virtual machine to prevent unintended system infections. A clean snapshot can be restored after the analysis to remove all malicious sample parts.
After some deobfuscation, only one core method is left. It is conspicuous that the return value of this method is passed to run WScript.Shell, therefore the method probably returns a shell command:
The method can be pasted into the Visio editor, but instead of infecting the system by executing the return value, it can be passed to a print method to be printed out. This reveals the malicious call of the macro containing an URL from which the malware binary can be downloaded for further analysis.
Fortunately, our ATP customers are protected against this campaign, as Hornetsecurity Advanced Threat Protection  detects and filters out the malicious spam mails. In most cases, it is easier to let the sandbox engine gather the malware samples automatically through dynamic analysis, but the described proceeding is useful for understanding the attack and for improving the detection methods.
 Oletools: https://www.decalage.info/python/oletools
 Visio editor: https://msdn.microsoft.com/de-de/library/office/fp161226.aspx
 Hornetsecurity ATP: https://www.hornetsecurity.com/de/services/schutz-vor-ransomware-advanced-threat-protection