• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ▼  2015 (5)
    • ▼  October (1)
      • Another Macro Script Technique in Executing Malware
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Friday, October 9, 2015

Another Macro Script Technique in Executing Malware

Posted on Friday, October 09, 2015 by bernadette | No comments
Recently I came across with a macro malware that uses a technique quite new to me. If macro is enabled, macro script does the following:

  1. Save the Doc file as RTF file, 300.rtf and 301.rtf
  2. Open the 300.rtf file with an embedded PE file
  3. Then execute the PE file
Lets start analyzing the file and see how it successfully used the above trick.

Upon inspecting the file in Hiew we could see that there is an embedded PE file. But by simply opening the file in Word doesn't mean that the PE file will run in the system, but with the use of macro script that is possible.



Existing macro script in files. These macro scripts are password protected.


Extracted Macro script

By inspecting 300.rtf we could notice that there is an embedded object. 



Using the following instructions macro file were able to open 300.rtf, embedded PE file will be extracted to TEMP folder. Thus, macro script were able to successfully execute the file.

Set sttKaka = CreateObject("Word.Application")
sttKaka.Visible = False
Set docWord = sttKaka.Documents.Open(TCA)



This technique is only feasible using Microsoft Word 2010 and Microsoft Word 2013, with Microsoft 2007 and below it will encounter Privacy Warning. 


It is highly adviseable to disable macro to avoid this type of malware from compromising your system.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com