This is just a short post detailing a quick trick to remove VBA project protection in MS Office documents: tested with a Word 2003 document linked attached to a banking themed email.

unp_2

The document in question is one of a range that comes as an attachment, apparently from one of several Australian/NZ banks (as outlined here):

  • nab.com.au
  • anz.com.au
  • westpac.com.au
  • suncorp.com.au
  • commbank.com.au

What we’re looking at is your standard macro-laden document, requesting that you enable all content and editing so that it’s able to execute a VB script that fetches and executes a malicious binary – in this case TrickBot.

unp_1

Unfortunately, dynamic analysis failed to retrieve the binary location, and the VBA project is protected (as opposed to using the usual XOR obfuscation we see) which means there’s a little extra work to determine it. But, nevermind that… it’s fairly simple to bypass.

Open the document in a hex editor and search for the string ‘DPB’:

unp_3

Replace this with ‘DPX’:

unp_4

Save the file and open it again in Word. It will error, but that’s OK:

unp_5

Navigate to the developer tab > Visual Basic > right-click on the project > select ‘Project Properties’ > jump across to the ‘Protection’ tab > untick ‘Lock project for viewing’:

unp_6

Save the document, exit it and then re-open it.

In this case the main function ‘marco’ resides in a module named Module1. It uses string concatenation to form a PowerShell command that fetches a binary and executes it. The variables are either sourced from other, explicitly declared variables or other elements in the project (e.g. form values):

unp_7

As with any method of obfuscation, it must eventually form shell interpretable text (and thus human interpretable text) in order to successfully execute the desired command. So, by making the command a string variable and setting a breakpoint  on the line the variable can be read in the locals window:

unp_8

You can view the report on this particular file on Hybrid Analysis as well as for the original document.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s