oledump analysis of Rocket Kitten – Guest Diary by Didier Stevens, (Fri, Jan 2nd)

In his Rocket Kitten diary entry, Johannes introduces research byGadiEvronandTillmannWerner. They analyzed a PE-file embedded in the VBA macro code of anXLSMspreadsheet.

I want to show you how you can quickly analyze MS Offices documents and extract files. Just using my Pythonoledumptool, nothing else. You dont need MS Office for this analysis.

First we runoledump” />

The first line (A: ) indicates that oledump found an OLE file named xl/vbaProject.bin inside the XLSM file. Remember that the new MS Office file format (.docx, .xlsm, ) is a set of XML files stored inside a ZIP file. But VBA macros are not stored in XML files, they still use the older MS Office file format: OLE files.

oledump reports the streams it finds inside the OLE file: from index A1 through A10. A letter M next to the index is an indicator for the presence of VBA code. A lowercase letter m indicates VBA code with only Attribute statements, an uppercase letter M indicates more sophisticated VBA code, i.e. code with other statement types than Attribute statements.

If oledump finds streams with VBA macros, I always look first at the streams marked with an uppercase letter M, as these contain the most promising code.

After the column with the macro indicator M, comes a column with the size (in bytes) of the stream and another column with the full name of the stream.

Lets take a look at the VBA code in stream A3 like this:

oledump.py s A3 v 266CFE755A0A66776DF9FD8CD2FEE1F1.xlsm

Option s A3 selects stream A3 for analysis, and option ” />

Here is a part of the VBA source code. Remark function A0: it concatenates characters generated with function Chr into a long string. If you” />

By default, you get a hex-ascii dump of the embedded file. Now you can see that the embedded file is a PE file.

Last, we dump (option ” />

The MD5 of the PE file is c222199c9a7eb0d162d5e96955739447. That is one of the IOCs Johannes included in his diary entry.

Oledump can be found on my blog.

— Didier Stevens

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.