Bypassing Anti-Analysis Technique In Office Documents

malware analysis VBA Word Document
Today we analyze a malicious, VBA Enabled Word Document. The authors of this document have password protected the VBA Project within the file to prevent inspection of the malicious code. They have also taken measures to prevent password removal techniques. Automatic analysis tools do not work, but we show how to get past all these anti-analysis obstacles.
Filename
efax543254456_2156.doc
MD5
30B9491821923A1ECB5D221A028208F2
Sample
Download Sample
Video



DETAILS

We begin by opening the document and are greeted with a Phishing message claiming the document was created with an earlier version of Microsoft Office and in order to view the message we must enable macros.




When we enable macros, the Document begins beaconing to cfai66.fr 


To understand what made the document beacon to the French domain, we must inspect the Document’s Macros in the Developer Tab. However, the author has password protected the VBA project to prevent inspection. This limits our ability to accurately analyze the VBA script from inside Microsoft Office. 



To continue analysis, we can try to manually remove the password using some common hex editing techniques for Office files. To begin, we search the Document for the string “DPB” and change it to “DPx”. Some versions of Office will interpret this as a corrupt password hash. However, this does not work on our document and we still receive the password prompt.

Next we try replacing the “CMG”, “DPB”, and “GC” values of our document with new values from a password protected, VBA Enabled Document we create. Alas, the authors of our document have intentionally messed with the “CMG” value to throw off the length of the field. Our attempts at copying our new CMG to the malicious document fail. Also, attempting to pad the data both inside and outside the quotes of CMG to preserve the length of the file failed. (Our New Document On Left. Malicious Document on Right) 


Since our password removal attempts have failed, we continue inspecting our Document with the popular Office Product analysis tool OfficeMalScanner. Running the tool with the scan/brute options yields no results:


Re-running the tool with the info option reveals 3 VBA Objects: 


To dynamically analyze these VBA Objects we can utilize a new tool named ViperMonkey. ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).

However, more bad news emerges when ViperMonkey fails to fully analyze the VBA due to 1.) Not recognizing the VBA function UBound, 2.) Being unable to evaluate the variable assignment for “i = UserForm1.T.Top” because it cannot locate the value for UserForm1.T.Top.
 

Looks like we will have to reverse the Module1 VBA Script by hand. To begin, we load the script into a new Word document so we can debug it with the built-in VBA debugger. Debugging the script we quickly discover the code that caused ViperMonkey to fail. 


This code fails to run because Form1 was not able to be dumped using the OfficeMalScanner tool. Only metadata for Form1 was dumped and the value for Form1.T.Top is nowhere to be found. This is a good technique to halt automatic VBA analysis because the variable from the password protected form cannot be acquired (that I am aware of.) We will have to manually trace the code and reverse the function that uses this variable to try and determine what it’s value is supposed to be. 


Tracing the variable assignments for i=Form1.T.Top eventually assigns i to variable T and later brings us to line 56.
Variable fr will equal T - 11 and then on line 60 variable Wet will equal 1 - fr.
Line 62 states that if Wet = 0 then rd will be the character representation of variable rd. 
 
If we take these statements in reverse logical order we get the following:
For rd to be a Char, Wet must equal 0:
Wet = 0
Wet = 1 - fr(1) = 0
fr = T(12) - 11 = 1
T(12) = i(12) = UserForm1.T.Top(12)
UserForm1.T.Top == 12


If we replace UserForm1.T.Top with the value of 12 and debug the script, we slowly see legible text populate the variable onearm. We have successfully reversed the logic of the VBA and are presented with the following batch file in the variable: 


This script will download a malicious PNG file (actually an EXE) from the cfai66.fr website (unsure if this is a legitimate website that has been compromised) and execute it on our machine. This file is a generic Trojan and is not attributed to a specific campaign. 
 

DROPPED FILES

i.bat
npzdi.exe

NETWORK TRAFFIC

cfai66.fr/parabola.png
cfa-noisylegrand.com/parapola.png

CONCLUSION

This has been an interesting VBA Project Enabled Word Document that employed Password protection to hinder analysis. After several password removal attempts, automatic tool analysis with OfficeMalScanner and ViperMonkey, we finally move to manual reversing of the VBA function to discover the missing value which caused the script to fail during debugging.