This post describes a method using a utility called OfficeMalScanner to find out if a document contains malware. The utility is third-party software that needs to be installed by the user in a safe lab environment. Let’s say that there is a suspicious document that someone has received and it is suspected to contain malware. A major red flag is getting a security warning stating “Macros have been disabled” and asking the user to enable macros. It is a good security practice not to enable macros because they are a threat vector for malicious code.
As a side note, just because a Microsoft Office file makes a prompt like this does not automatically mean the document contains malware. However, for the purposes of this exercise let’s assume that there is every reason to be suspicious that this document being analyzed contains malicious code.
Disclaimer: This analysis was conducted in a controlled lab environment with proper safeguards in place. The information contained in this post is for educational purposes and the author takes no responsibility for any adverse consequence including but not limited to device malware infection that results from following the procedure outlined here.
Running OfficeMalScanner confirms that there is indeed Visual Basic code inside this document which has been titled “examplemalware” and the code is contained in a file called “ThisDocument”.
Copy and paste the file path C:\\EXAMPLEMALWARE.BIN-Macros into File Explorer to navigate to the folder containing the embedded file “ThisDocument”.
Opening the file “ThisDocument” in Notepad++ further reveals Visual Basic macro code hidden in the document we are investigating. A snippet is shown below.
Scrolling down further in the code reveals a PowerShell script. For security purposes the entire script is not included here, but there is enough in the screenshot to see the start of the PowerShell script and part of a string that is encoded using Base64.
Decrypting this string with a Base64 decoder unmasks the fact that this is a PowerShell script that downloads a file from a web server and runs the code in that file on the target machine.
This is enough confirmation that the document we are analyzing contains malicious code.