Excel 4.0 Macro: A Latest Walkthrough of Malicious Document Analysis By DrEvil
Introduction: In the realm of cybersecurity, attackers employ various techniques to exploit vulnerabilities and compromise systems. One such method involves leveraging Excel 4.0 macros to execute malicious actions upon opening a document. This article provides a detailed walkthrough of dissecting a nefarious Office document, shedding light on the techniques used by attackers and the countermeasures to mitigate such threats.
Unraveling the Macro Functionality:
Q: Attackers use a function to make the malicious VBA macros they have prepared run when the document is opened. What do attackers change the cell name to make Excel 4.0 macros work to provide the same functionality?
A: auto_open
Explanation: To obfuscate the macros within the XLS file, the XLMMacroDeobfuscator tool proves invaluable. The de-obfuscation command, ‘olevba filepath -a,’ reveals the altered cell name, ‘auto_open,’ where attackers embed their malicious VBA macros.
Download/Install: Ole Tool’s For OLEVBA
Identifying the Execution Point:
Q: What is the address of the first cell where Excel 4.0 macros will run in the malicious Office document you are analyzing?
A: doc4!ba7
Explanation: Adjacent to the auto_open function, the document analysis reveals that the Excel 4.0 macros are set to execute at the cell address ‘doc4!ba7.’ This insight is pivotal for understanding the starting point of the malicious code execution.
Initiating System Processes:
Q: Which function is used to start a process in the operating system in the document you are analyzing?
A: exec
Explanation: By extracting the hash value of the malicious file and employing a public submission platform, the deobfuscated macros unveil an ‘exec’ command. This function is employed to initiate processes within the operating system, a critical aspect of the attacker’s strategy.
Download/Install: XLMMacroDeobfuscator
Unmasking LOLBAS Tools:
Q: Which LOLBAS tool was used in the Excel 4.0 macros you analyzed?
A: regsvr32.exe
Explanation: The Living Off the Land Binaries and Scripts (LOLBAS) framework is leveraged by attackers, with the ‘regsvr32.exe’ tool identified in the malicious macros. Understanding the use of LOLBAS tools provides insights into the attacker’s tactics.
Revealing Registered DLLs:
Q: What is the name of the registered DLL?
A: iroto.dll
Explanation: Examining the generated report unveils the registration of ‘iroto.dll’ and ‘iroto1.dll.’ The registered DLLs play a crucial role in the execution of malicious operations, signifying a key component of the attacker’s strategy.
Attribution Clues:
Q: What is the username that made the last change to the malicious document?
A: amanda
Explanation: A crucial piece of attribution evidence is discovered in the report, where the ‘Last Modified by’ field points to ‘amanda.’ This attribution insight aids in understanding the potential identity of the attacker behind the conversion of the XLS file into a malicious document.
Conclusion: In conclusion, this walkthrough provides a comprehensive understanding of the Excel 4.0 macro-based attack, encompassing the obfuscation techniques, execution points, system process initiation, LOLBAS tool usage, registered DLLs, and potential attribution clues. By unraveling the intricacies of such attacks, cybersecurity professionals can bolster their defenses and proactively safeguard against evolving threats in the digital landscape.
My Other Blogposts Link: Cyber-Security
