UrbanPro
true

Learn Ethical Hacking from the Best Tutors

  • Affordable fees
  • 1-1 or Group class
  • Flexible Timings
  • Verified Tutors

Search in

Malware Analysis: Analyzing Macros For Payload

Ronit Yadav
21/03/2017 0 0

Hello There !  last night I got a mail from an Unknown source regarding a Credit card which include a Document attachment.
I was Curious that it may be Social engineering attack One of the Popular Attacking vector used by Cybercrooks
So I made a decision to download the attachment and analyze it, I opened that word file in a WindowsVM with MS Office 2010 Installed.
Hell Yeah ! It prompt me to enable Macros, which means that Document Contains Macros.
Basically Macros are VBA script short for Visual Basic for Applications, recording of series of task that we perform frequently.
It’s the simplest form of automation – shows a software program the steps you follow to get something done.

I Logged in my Kali Machine and I started dissecting the Document.
I ran a Python script against that file I got an error.

./macro_dump.py CC_1232017.docm

Hmm! the document is not a legacy binary Microsoft Office file but actually XML-formatted versions of Microsoft Office file(which typically have extensions such as .docx, .xlsx) Basically These files are Compressed
I decompressed the Docx document and got the following file, Seems fine

In this case, the “vbaProject.bin” file contains extracted VB macro code in a binary format.
Again ran the same script against vbaProject.bin, Fantastic! It worked.

./macro_dump.py word/vbaProject.bin

This file contains 2 Macros, The letter M next to stream 3 and 4 indicate that the stream contains VBA macros.
Stream 4 “ThisDocument” it is Global Macros.
Stream 3 “NewMacros” seems a Custom Macros.

Lets check if it contains any URLs in case of a Downloader Malware downloads the EXE from a server.

but it didn’t contains any kind of URLs lets Extract The VBA code in a Separate File and Let Analyze the code.

 

There are few Variable declaration and Auto_Open() function is quite Interesting, It will execute the EXE everytime you open the Document.
More Interesting stuffs like chDrive() i.e Change Drive function which is used to change the Drive and a shell() which is used to run an executable program. But I didn’t found the Binary Executable yet.

I doubt this is the payload string but since its not a downloader it may be possible that the payload data is Embedded in the Document itself.

Hmm! This variable seems Interesting.
Lets open the Word document again in WindowsVM, The whole document was (blank).

Finally I found the Payload Data, the Data was Hidden in the Document File.
To verify the Hypothesis I ran Anti-Meter(Which is used to check Meterpreter Session)and the Infected file was one which I guessed Earlier.

Somehow I got the IP Address of the Attacker.
After Uploading the EXE to VirusTotal the Detection Rate was 7/55.

 

0 Dislike
Follow 0

Please Enter a comment

Submit

Other Lessons for You

Types of Ethical Hackers
This is the internet age! The more that we use the internet and technology, the more we are vulnerable to Hacking and Data theft, Ethical Hacking going to play the best role in this era There are mainly...

Antivirus is not enough. Cyber criminals hate us. We protect from attacks that antivirus can't block. 
Engineering and internet encouraged the conception and development of network indecencies like virus, antivirus, hacking and ethical hacking. Hacking is a practice of adjustment of a computer hardware...

Prerequisites To Get Started Into Ethical Hacking
Getting into ethical hacking as a beginner, one has confusion about where to start. There are many resources but the only question remains in mind for a beginner is "What is the zero level to start?"....
G

Grandhi Srikanth

2 0
0

How to crack CEH?
Learn all the modules taught in the CEC course at infysec, practise thoroughly and then crack CEH - EC COUNCIL within 2 months time frame.

How to become an Ethical Hacker?
Certified Ethical Hacker (CEH) is a qualification obtained by demonstrating knowledge of assessing the security of computer systems by looking for weaknesses and vulnerabilities in target systems, using...
X

Looking for Ethical Hacking Classes?

The best tutors for Ethical Hacking Classes are on UrbanPro

  • Select the best Tutor
  • Book & Attend a Free Demo
  • Pay and start Learning

Learn Ethical Hacking with the Best Tutors

The best Tutors for Ethical Hacking Classes are on UrbanPro

This website uses cookies

We use cookies to improve user experience. Choose what cookies you allow us to use. You can read more about our Cookie Policy in our Privacy Policy

Accept All
Decline All

UrbanPro.com is India's largest network of most trusted tutors and institutes. Over 55 lakh students rely on UrbanPro.com, to fulfill their learning requirements across 1,000+ categories. Using UrbanPro.com, parents, and students can compare multiple Tutors and Institutes and choose the one that best suits their requirements. More than 7.5 lakh verified Tutors and Institutes are helping millions of students every day and growing their tutoring business on UrbanPro.com. Whether you are looking for a tutor to learn mathematics, a German language trainer to brush up your German language skills or an institute to upgrade your IT skills, we have got the best selection of Tutors and Training Institutes for you. Read more