This is just a short post detailing a quick trick to remove VBA project protection in MS Office documents: tested with a Word 2003 document linked attached to a banking themed email.


The document in question is one of a range that comes as an attachment, apparently from one of several Australian/NZ banks (as outlined here):


What we’re looking at is your standard macro-laden document, requesting that you enable all content and editing so that it’s able to execute a VB script that fetches and executes a malicious binary – in this case TrickBot.


Unfortunately, dynamic analysis failed to retrieve the binary location, and the VBA project is protected (as opposed to using the usual XOR obfuscation we see) which means there’s a little extra work to determine it. But, nevermind that… it’s fairly simple to bypass.

Open the document in a hex editor and search for the string ‘DPB’:


Replace this with ‘DPX’:


Save the file and open it again in Word. It will error, but that’s OK:


Navigate to the developer tab > Visual Basic > right-click on the project > select ‘Project Properties’ > jump across to the ‘Protection’ tab > untick ‘Lock project for viewing’:


Save the document, exit it and then re-open it.

In this case the main function ‘marco’ resides in a module named Module1. It uses string concatenation to form a PowerShell command that fetches a binary and executes it. The variables are either sourced from other, explicitly declared variables or other elements in the project (e.g. form values):


As with any method of obfuscation, it must eventually form shell interpretable text (and thus human interpretable text) in order to successfully execute the desired command. So, by making the command a string variable and setting a breakpoint  on the line the variable can be read in the locals window:


You can view the report on this particular file on Hybrid Analysis as well as for the original document.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s