HackDig : Dig high-quality web security articles for hacker

Searching for Microsoft Office Files Containing Macro

2015-01-09 01:50

MacroA quick blog post which popped up in my mind after a friend posted a question on Twitter this afternoon: “How to search for Office documents containing macros on a NAS?“. This is a good idea to search for such documents as VBA macros are known to be a good infection vector and come back regularly in the news like the Rocket Kitten campaign.

My first idea was to use the oledump tool developed by Didier Stevens. Without any command line option, this nice tool lists the streams contained in a document and macros are flagged with a “M” like in the example below. The 7th stream is a macro:

# ./oledump.py /tmp/Suspicious/Invoice.doc 
 1:      113 'x01CompObj'
 2:     4096 'x05DocumentSummaryInformation'
 3:     4096 'x05SummaryInformation'
 4:     4096 '1Table'
 5:      444 'Macros/PROJECT'
 6:       41 'Macros/PROJECTwm'
 7: M  12604 'Macros/VBA/ThisDocument'
 8:     3413 'Macros/VBA/_VBA_PROJECT'
 9:      514 'Macros/VBA/dir'
10:     4142 'WordDocument'

But this requires to grep for the “M” in the output and adds some complexity. Didier responded on Twitter with another tool he also developed: filescanner.exe. This tool does exactly the job we expect by searching for patterns into a file but it runs only on Windows! Being a UNIX guy, why not use YARA with a custom signature to achieve this? As Didier said, an Office document containing a macro can be detected by searching the following patterns:

  • 0xD0 OxCF 0x11 0xE0
  • 0x00 0x41 0x74 0x74 0x72 0x69 0x62 0x75 0x74 0x00

Let’s wirte a simple YARA rule:

rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}

Finally, let’s mount our NAS share (NFS, CFS, AFS, …) and use the standard UNIX tool “find” to search for juicy files:

# mkdir /mnt/share
# smbmount //nas.lan/users /mnt/share -o username=user,password=pass,ro
# find /mnt/share -type f -size -1M -exec yara /tmp/office-macro.rule {} ;
office_macro /mnt/share/xavier/tmp/Invoice.doc
office_macro /mnt/share/tmp/TaskManager.xls
...

And you can use the power of the find command to restrict your search to only specific files. If you don’t know YARA, have a look at this powerful tool. Happy scanning!


Source: /orcam-gniniatnoc-selif-eciffo-tfosorcim-rof-gnihcraes/80/10/5102/eb.llehstoor.golb

Read:2703 | Comments:0 | Tags:Uncategorized

“Searching for Microsoft Office Files Containing Macro”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud