Sunday, April 29, 2018

Revealing Password Protected VBA Macro Code

Last night I downloaded a malicious Word document from Any.Run website. Malware is recognized according VirusTotal as Trojan-Downloader.MSWord.Agent.byj (Kaspersky).



Once opened the document suggests macro and content enabling. Notice the funny typo: "Can't Veiw?".



Viewing the VBA code is made difficult with MS Office's built-in VBA project password protection. So the password protection has to be removed or cracked. I decided to remove password protection.



The document itself was also password protected so this protection has to be removed first. Since I did not know the password I just guessed the password: "1234".



Document password can be removed from File/Properties. I was using Finnish Word so try to follow screenshots anyway.



When the Document password is removed, save the document in docm format.



Now, open the Explorer, locate the previously saved docm format file and open it with 7-Zip as an archive file. I used 7-Zip but this could be done with any Archiver application.



Locate vbaProject.bin from inside the archive (Word document). Then extract vbaProject.bin out of the file.



Open the extracted vbaProject.bin file with your hex editor. Search "DPB" as ASCII text. There should be only one occurrence of that string. After you have found it, replace it from "DPB" to "DPx". Save this modified file and close the hex editor.



Drag the modified vbaProject.bin file back to 7-Zip and replace the original vbaProject.bin file. If you use some other archiver you may need to do this in some other way.



Save the archive file and now you can re-open docm file with Word. You should get an error message, see below image. Answer "Yes" and the document loads.



Open VBA editor and select VBA project's properties. You should be able to remove project locking and any passwords. You may need to save and reload the document to changes to take effect.



Finally you should see the hidden VBA code.

No comments: