Cyber Security with Amit Malik - Episode 1 - Macro Analysis

Video Link:

Text:

Audience Level: Beginner, Internet user

Prerequisite: Python programming language

Introduction:

In this week I will discuss about the macro analysis since macros are one of the top threat today to compromise/infect the endpoint machines. These days the macro based downloaders download ransomeware, POS malware and other banking trojans so the investigation of the office documents is crucial. So in this session I will discuss about the tools and techniques to analyse the macro malwares.

Infection Method:

Malicious documents are mostly delivered through email campaigns. The attacker send the tailored email to the victim with the malicious email attachment. Once the victim open the malicious document it will download the malware from the website and execute it on the victim machine.

For example:

example::

Analysis:

compound file format: http://www.openoffice.org/sc/compdocfileformat.pdf

OOXML: office 2007+

LZNT1 – Compression Algo. ( Including NTFS)

RtlDecompressBuffer (Windows DDK)

chopshop implementation (LZNT1 _ Algo)

Olevba from Oletools.

Oleveba -> Compound file format + OOXML

Oletools installation:

https://github.com/decalage2/oletools/wiki/Install

Code:

#!/usr/bin/python

# Author: Amit Malik (Cysinfo)
# Level: Beginner Level tutorial

import sys
from oletools import olevba

class ExtractMacro():
    def __init__(self,sample):
        self.sample = sample
        self.results = {}

    def extract_macro(self):
        # invoking the VBA Parser from olevba
        vba = olevba.VBA_Parser(self.sample)
        macro_code = ""

        if vba.detect_vba_macros():
            for (filename, stream_path, vba_filename, vba_code) in vba.extract_macros():
                macro_code += olevba.filter_vba(vba_code)

            self.results["analysis"] = vba.analyze_macros()

            self.results["code"] = macro_code
            vba.close()
            return self.results

        vba.close()
        return False

    def analysis(self):
        return self.extract_macro()

if __name__ == '__main__':
    obj = ExtractMacro(sys.argv[1])
    results =  obj.analysis()
    for r in results["analysis"]:
        print r
    print "code: %s" % results["code"]

#!/usr/bin/python

# Author: Amit Malik (Cysinfo)

# Level: Beginner Level tutorial

import sys

from oletools import olevba

class ExtractMacro():

def __init__(self,sample):

self.sample = sample

self.results = {}

def extract_macro(self):

# invoking the VBA Parser from olevba

vba = olevba.VBA_Parser(self.sample)

macro_code = ""

if vba.detect_vba_macros():

for (filename, stream_path, vba_filename, vba_code) in vba.extract_macros():

macro_code += olevba.filter_vba(vba_code)

self.results["analysis"] = vba.analyze_macros()

self.results["code"] = macro_code

vba.close()

return self.results

vba.close()

return False

def analysis(self):

return self.extract_macro()

if __name__ == '__main__':

obj = ExtractMacro(sys.argv[1])

results = obj.analysis()

for r in results["analysis"]:

print r

print "code: %s" % results["code"]

Cyber Security with Amit Malik – Episode 1 – Macro Analysis

Amit Malik

Leave a Reply Cancel reply