TL;DR Macro code in Office documents can be digitally signed, and Office can be configured to restrict macro execution to digitally signed documents. We found a method to alter digitally signed VBA projects to execute our own, arbitrary code under the right conditions, without invalidating the digital signature. When we recommend clients to harden their … Continue reading Tampering with Digitally Signed VBA Projects
Category: Maldoc
Evidence of VBA Purging Found in Malicious Documents
TL;DR We have found malicious Office documents containing VBA source code only, and no compiled code. Documents like these are more likely to evade anti-virus detection due to a technique we dubbed "VBA Purging". VBA Purging techniqueMalicious MS Office documents leveraging VBA, have their VBA code stored inside streams of Compound File Binary Format files. … Continue reading Evidence of VBA Purging Found in Malicious Documents
Analyzing a Malicious Spreadsheet Dropping a DLL
Introduction This week, we received a suspicious spreadsheet which was used as a malware dropper in a phishing campaign. The spreadsheet writes a DLL file to disk and subsequently executes it. In this blog post, we perform the full analysis of the suspicious spreadsheet. Analyzing the document The analysis of this Excel file starts with … Continue reading Analyzing a Malicious Spreadsheet Dropping a DLL
Malicious SYLK Files with MS Excel 4.0 Macros
Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal. A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can't contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 … Continue reading Malicious SYLK Files with MS Excel 4.0 Macros
Detecting and Analyzing Microsoft Office Online Video
A while ago, a new technique was developed to execute arbitrary code via a Word document: an online video is embedded and the HTML code for the embedded video is modified with JavaScript that launches a Windows executable. This technique does not rely on VBA macros and requires the use of the .docx format (for … Continue reading Detecting and Analyzing Microsoft Office Online Video
Differential Malware Analysis: An Example
There are many ways to analyze malware. In this blog post, we illustrate a typical analysis method: comparing an unknown sample with a known sample, to determine if the unknown sample is malicious or not. During one of our engagements, we came across a PDF document that triggered our anti-virus. What intrigued us, was that … Continue reading Differential Malware Analysis: An Example