Tampering with Digitally Signed VBA Projects

TL;DR Macro code in Office documents can be digitally signed, and Office can be configured to restrict macro execution to digitally signed documents. We found a method to alter digitally signed VBA projects to execute our own, arbitrary code under the right conditions, without invalidating the digital signature. When we recommend clients to harden their … Continue reading Tampering with Digitally Signed VBA Projects

Video: Attack Surface Reduction (ASR) Bypass using VBA

Introduction Attack surface reduction rules in Windows target software behaviors that are often abused by attackers. In this blog post & video, we want to demonstrate a way of bypassing one of these rules from within VBA. Bypass Parent process selection can be done from VBA. There is an Attack Surface Reduction rule to block … Continue reading Video: Attack Surface Reduction (ASR) Bypass using VBA

Evidence of VBA Purging Found in Malicious Documents

TL;DR We have found malicious Office documents containing VBA source code only, and no compiled code. Documents like these are more likely to evade anti-virus detection due to a technique we dubbed "VBA Purging". VBA Purging techniqueMalicious MS Office documents leveraging VBA, have their VBA code stored inside streams of Compound File Binary Format files. … Continue reading Evidence of VBA Purging Found in Malicious Documents

Analyzing a Malicious Spreadsheet Dropping a DLL

Introduction This week, we received a suspicious spreadsheet which was used as a malware dropper in a phishing campaign. The spreadsheet writes a DLL file to disk and subsequently executes it. In this blog post, we perform the full analysis of the suspicious spreadsheet. Analyzing the document The analysis of this Excel file starts with … Continue reading Analyzing a Malicious Spreadsheet Dropping a DLL

Extracting Certificates From the Windows Registry

I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. The Windows registry contains binary blobs, containing certificates. Like this one: Examples of locations where certificates can be found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates Certificates, encoded in DER format, always start with value … Continue reading Extracting Certificates From the Windows Registry