A Blog about Malware Analysis and Reverse Engineering

  • Maldoc uses template injection for macro execution

    I recently came across a handful of malicious office documents (maldocs) whose network traffic struck me as a slightly odd. As you can see in the screenshot below, there are several HTTP requests to the hxxp://moveis-schuster-com.[ga] domain and some of these requests appear to be for a DOTM file. A DOTM file is a macro-enabled…

  • Reversing Control Structures with Ghidra: Loops

    In this video we’ll take a look at several basic looping structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify key logic and discuss the underlying assembly instructions. Understanding basic control…

  • Getting Started Reversing C++ Objects with Ghidra (Part 1)

    In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify when the objects are created, recognize the size/structure of the memory allocation and how it’s used by the object and explore the use…

  • Reversing Basic C++ Objects with Ghidra: Inheritance and Polymorphism (Part 2)

    In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify the size/structure of the memory allocation and how it’s used by the object and explore the use of virtual functions and virtual function…

  • Excel 4 Macros – Get.Workspace Reference

    With the recent resurgence of the use of Excel 4 macros in malicious excel documents, I’ve found myself scouring the internet looking for language references. One such function that was particularly difficult to find documentation for was Get.Workspace, which takes a integer value as an argument and returns information about the environment. Since it appears…

  • Removing Passwords from VBA Projects

    Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros, the password protection is typically encountered when accessing the project through the Office/VBA IDE (which I typically use for dynamic analysis). This happens rare enough that I often forget the steps of removing the…

  • Maldoc drops DLL and executes via ExecuteExcel4Macro

    Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why –…

  • Maldoc uses Windows API to perform process hollowing

    A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the code inside, a technique known as “process hollowing”. The primary goal of this post is to identify this technique and understand how it is employed. I’ve also posted a video that walks…

  • Maldoc uses RC4 to hide PowerShell script, retrieves payload from DNS TXT record

    Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately…

  • Disabling Teredo IPv6 Tunnelling

    If you’re seeing DNS queries for teredo.ipv6.microsoft.com you may be interested in disabling it (more at MSDN and WikiPedia). On Windows 7, you can run the following command from an elevated/administrator command prompt and say good bye!