Deobfuscating Malicious VBA Macro with a Few Lines of Python

DeobfuscateJust a quick post about a problem that security analysts are facing daily… For a while, malicious Office documents are delivered with OLE objects containing VBA macros. Bad guys are always using obfuscation techniques to make the analysis more difficult and (try to) bypass basic filters. This makes the analysis not impossible but boring and time consuming.

As example, we see more and more VBA macros with strings obfuscated by encoding characters with the ‘Chr()‘ or ‘Chrw()‘ functions. Check the following piece of code:

Set ertertFFFg = CreateObject(Chr$(77) & Chr$(83) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(50) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))

Once decoded, the variable ‘ertertFFg‘ is assigned the following value:

Set ertertFFFg = CreateObject(MSXML2.XMLHTTP)

Seeing more and more macros based on this obfuscation technique, I wrote a quick and dirty Python script to help a friend. Currently it supports the following syntaxes:

  • chrw(x)
  • chrw(x.y+x.y)
  • chr$(x)

The script reads the macro from stdin and output the decoded strings to stdout. Feel free to use it, it is available on my github repo.

 

 

23 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.