Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Metasploit's Maldoc - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Metasploit's Maldoc

I often write posts and make videos on malicious document analysis, that I post here and on my blog.

Here is another video on malicious Office document analysis (a .docm file), but with a twist: this maldoc was created with Metasploit module office_word_macro.

.docm files created with this module embed a payload (a Windows executable) as a BASE64 encoded property of the Word document. So it is rather easy to extract the payload: just extract the BASE64 code from the XML file and decode it.

Detecting these documents is not that difficult: this Metasploit module always uses the same VBA code. The ole file that contains the macros, vbaProject.bin, is not modified when it is embedded in a .docx file to create a .docm file.

So it's always the same file, and that makes it detectable. If you are interested, I have YARA rules and ClamAV signatures here.

Of course, these signatures will work with the current version of the Metasploit module, there is no guarantee for future versions.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

181 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!