Tuesday, April 7, 2015

Resume Phish with VBA Macro in Word

I pasted some details about a Phishing email that I saw containing a Resume in a Microsoft Word document. If users clicked on the word document it executed some malicious VBA scripts that attempted to download a file and infect the host workstation. What are the steps to determine all that?

First get a copy of the Word Document. If you have the email, great (skip to step 8). If you don't have the email but have a Wireshark packet capture, then try these steps ...

1.) Find the email SMTP traffic and right-click, Follow TCP Stream
2.) Save As RAW
3.) Open the file in Notepad++, it's probably Base 64 encoded (like the example below)

5.) Delete everything before and after so all you're left with the Base 64 encoded document, then Select it all

6.) Select Plugins => MIME Tools => Base 64 decode

7.) Now be careful since you have an active word document. You wouldn't want to accidentally click. That's why it's best to this in a disposable non-connected Virtual Machine. I wouldn't even save it as word, just save it as a TXT file still for now.

8.) Now use the OfficeMalScanner that I blogged about using here. And run this command that extracts a binary version of the macro
.\OfficeMalScanner.exe .\MaliciousWordDocument.txt inflate

9.) Now use the OfficeMalScanner to run this command to extract the actual VBA script
.\OfficeMalScanner.exe .\vbaProject.bin info

10.) Open that outputed file (VBAPROJECT.BIN-Macros\ThisDocument) in Notepad++ and boom! you have the code. Time for analysis.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment