Searching for Microsoft Office Files Containing Macro

MacroA quick blog post which popped up in my mind after a friend posted a question on Twitter this afternoon: “How to search for Office documents containing macros on a NAS?“. This is a good idea to search for such documents as VBA macros are known to be a good infection vector and come back regularly in the news like the Rocket Kitten campaign.

My first idea was to use the oledump tool developed by Didier Stevens. Without any command line option, this nice tool lists the streams contained in a document and macros are flagged with a “M” like in the example below. The 7th stream is a macro:

# ./oledump.py /tmp/Suspicious/Invoice.doc 
 1:      113 '\x01CompObj'
 2:     4096 '\x05DocumentSummaryInformation'
 3:     4096 '\x05SummaryInformation'
 4:     4096 '1Table'
 5:      444 'Macros/PROJECT'
 6:       41 'Macros/PROJECTwm'
 7: M  12604 'Macros/VBA/ThisDocument'
 8:     3413 'Macros/VBA/_VBA_PROJECT'
 9:      514 'Macros/VBA/dir'
10:     4142 'WordDocument'

But this requires to grep for the “M” in the output and adds some complexity. Didier responded on Twitter with another tool he also developed: filescanner.exe. This tool does exactly the job we expect by searching for patterns into a file but it runs only on Windows! Being a UNIX guy, why not use YARA with a custom signature to achieve this? As Didier said, an Office document containing a macro can be detected by searching the following patterns:

  • 0xD0 OxCF 0x11 0xE0
  • 0x00 0x41 0x74 0x74 0x72 0x69 0x62 0x75 0x74 0x00

Let’s wirte a simple YARA rule:

rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}

Finally, let’s mount our NAS share (NFS, CFS, AFS, …) and use the standard UNIX tool “find” to search for juicy files:

# mkdir /mnt/share
# smbmount //nas.lan/users /mnt/share -o username=user,password=pass,ro
# find /mnt/share -type f -size -1M -exec yara /tmp/office-macro.rule {} \;
office_macro /mnt/share/xavier/tmp/Invoice.doc
office_macro /mnt/share/tmp/TaskManager.xls
...

And you can use the power of the find command to restrict your search to only specific files. If you don’t know YARA, have a look at this powerful tool. Happy scanning!

22 comments

  1. Hello, I was search exactly this, but I tried on my system and couldn’t detect any file with macros (I tried with both .doc and .dot files)
    Also, would this work for the docm xlsm files? Since they are zipped formats and I haven’t seen anything to decompress the files (yextend?)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.