A malicious word document with a VBA form
Last Updated: 2018-04-16 21:29:42 UTC
by Didier Stevens (Version: 1)
Malware authors will often hide strings (like URLs) or even a full payload as property values of VBA forms. The stream that contains this information can be easily recognized with oledump.py, the name ends with /o:
I was given a sample (MD5 1b0fbd5e0af361058a8115b941232e34) where such a stream is particularly large. Looking into the stream (index 15), we see an hexadecimal string starting with 4d5a. That's MZ in ASCII, and most likely a Windows executable.
Sometimes analyzing malicious documents can be rather easy: without looking at the VBA macro code of this sample, you can quickly find the embedded payload. This embedded payload can be easily extracted with base64dump.py:
This gives us the MD5 hash of the payload, which can also be found on VirusTotal 5ec10cfc4b29356d1bac2391e596f15f.
This malware was written in Visual Basic 6:
It's always worth to take a quick look at malicious documents with oledump.py or olevba.py, sometimes you can get lucky and find the payload without looking at the macros.
There are also several plugins for oledump, that help you automate parts of your analysis. plugin plugin_stream_o is a plugin I created for forms to extract property values:
Microsoft MVP Consumer Security