New Explode Module: EXPLODE_VBA #63
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note: jshlbrd also has a pull request for a module that does VBA extraction. My module also does file extraction (explode) and metadata for forms. Otherwise, they are similar. explode_vba.py is a scanning module to explode the VBA inside objects. It uses olevba from decalage's oletools to perform the object extraction. Quick note: Olevba has some object explosion built into the code. For example, it can look inside DOCX files for VBA. I tried to stay away from explosions done inside the decalage code and instead rely on Laika BOSS for explosion. To continue with the previous example, Laika BOSS will explode the ZIP and then this module will pick up the compressed VBA object and extract the macro from it. Input are OLE document files and output is metadata and extracted objects. Most supported formats listed at https://bitbucket.org/decalage/oletools/wiki/olevba which use olevba's VBA_Parser module willw work as long as it is also configured in dispatch.yara Here are my notes added to decalage's "Supported formats" Word 97-2003 (.doc, .dot) -> Will work Word 2007+ (.docm, .dotm) -> Note: Will rely on Laika BOSS explosion of ZIP Word 2003 XML (.xml) -> Will work Word/Excel MHTML, aka Single File Web Page (.mht) Excel 97-2003 (.xls) -> Will work Excel 2007+ (.xlsm, .xlsb) -> Should work and needs to be tested. PowerPoint 2007+ (.pptm, .ppsm) -> Note: Not currently supported. Will most likely need to be a seperate Laika BOSS module. Text file containing VBA or VBScript source code -> Should work and needs to be tested. Needs dispatch.yara addition to run EXPLODE_VBA against all files since txt files have no file magic to key on. Output: Extracted and decompressed VBA objects (macro and forms). Module also adds basic metadata about the object when possible. Below I use a Office 2007 Word sample (zip). I run olevba against the file which uses its native exploding code and shows that there are macros and forms. I then show the scan output from EXPLODE_VBA which shows the collected metadata. This is followed by examples of the actual extracted files. By running the EXPLODE_VBA module in conjuction with EXPLODE_ZIP and EXPLODE_OLE, the macros are successfully extracted. ``` [user@localhost laikaboss]# file mysample.docx mysample.docx: Microsoft Word 2007+ [user@localhost laikaboss]# hexdump -Cv mysample.docx | head 00000000 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 84 98 |PK..........!...| 00000010 01 20 94 01 00 00 2a 06 00 00 13 00 08 02 5b 43 |. ....*.......[C| 00000020 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d |ontent_Types].xm| ``` ``` [user@localhost laikaboss]# olevba -a mysample.docx olevba 0.50 - http://decalage.info/python/oletools Flags Filename ----------- ----------------------------------------------------------------- OpX:MASIHB-- mysample.docx =============================================================================== FILE: mysample.docx Type: OpenXML ------------------------------------------------------------------------------- VBA MACRO Dard.cls in file: word/vbaProject.bin - OLE stream: u'VBA/Dard' ------------------------------------------------------------------------------- VBA MACRO sTVOL.frm in file: word/vbaProject.bin - OLE stream: u'VBA/sTVOL' ------------------------------------------------------------------------------- VBA MACRO A0.bas in file: word/vbaProject.bin - OLE stream: u'VBA/A0' ------------------------------------------------------------------------------- VBA MACRO Ishimitsu.cls in file: word/vbaProject.bin - OLE stream: u'VBA/Ishimitsu' ------------------------------------------------------------------------------- VBA MACRO Module1.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Module1' ------------------------------------------------------------------------------- VBA MACRO Module2.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Module2' ------------------------------------------------------------------------------- VBA MACRO Class1.cls in file: word/vbaProject.bin - OLE stream: u'VBA/Class1' ------------------------------------------------------------------------------- VBA MACRO Z1.bas in file: word/vbaProject.bin - OLE stream: u'VBA/Z1' ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ▒rundll32.exe ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ▒http:// ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma/ ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - setRequestHeader ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Microsoft.XMLHTTPPPAPAdodb.streaMPPAPshell.ApplicationPPAPWscript.shellPPAPProcessPPAPGeTPPAPTeMPPPAPTypePPAPopenPPAPwritePPAPresponseBodyPPAPsavetofilePPAP\shubert.aza ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - hoOptionButton1der ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - hoSend ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ratatu ------------------------------------------------------------------------------- VBA FORM STRING IN 'word/vbaProject.bin' - OLE stream: u'sTVOL/o' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tahoma ``` -> Metadata collected from Module ``` "EXPLODE_VBA": { "Parsed_Macros_Metadata": [ { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/Dard", "Type": "OLE", "VBA_filename": "Dard.cls" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/sTVOL", "Type": "OLE", "VBA_filename": "sTVOL.frm" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/A0", "Type": "OLE", "VBA_filename": "A0.bas" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/Ishimitsu", "Type": "OLE", "VBA_filename": "Ishimitsu.cls" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/Module1", "Type": "OLE", "VBA_filename": "Module1.bas" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/Module2", "Type": "OLE", "VBA_filename": "Module2.bas" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/Class1", "Type": "OLE", "VBA_filename": "Class1.cls" }, { "VBA_project": [ "('', 'PROJECT', 'VBA/dir')" ], "OLE_stream": "VBA/Z1", "Type": "OLE", "VBA_filename": "Z1.bas" } ], "VBA_Forms_Found_Streams": [ "sTVOL/o" ] ``` -> Showing the files exploded and their filenames ``` [user@localhost laikaboss]# ls -lart ~/EXPLODED/0bf5e6c6-0dad-404c-a69e-30bf4a9962ce/ | grep e_vba e_vba_6b35ca7ccdf6a2221cacab994faa4349_Z1.bas e_vba_6b35ca7ccdf6a2221cacab994faa4349_Module2.bas e_vba_6b35ca7ccdf6a2221cacab994faa4349_Dard.cls e_vba_6b35ca7ccdf6a2221cacab994faa4349_A0.bas e_vba_6b35ca7ccdf6a2221cacab994faa4349_sTVOL.frm e_vba_6b35ca7ccdf6a2221cacab994faa4349_Ishimitsu.cls e_vba_6b35ca7ccdf6a2221cacab994faa4349_Module1.bas e_vba_6b35ca7ccdf6a2221cacab994faa4349_combined_forms.txt e_vba_6b35ca7ccdf6a2221cacab994faa4349_Class1.cls ``` Dispatch.yara change to make this module run against OLEs, Word2003 XML, and MHTML. ``` rule type_is_msoffice2003 { meta: scan_modules = "EXPLODE_OLE(minFileSize=128) EXPLODE_VBA" file_type = "ole" strings: $a = { D0 CF 11 E0 A1 B1 1A E1 } condition: $a at 0 } rule type_is_msoffice2003xml { meta: scan_modules = "EXPLODE_VBA" file_type = "xml" strings: $a = { 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d } //<?xml version= $b = "http://schemas.microsoft.com/office/word/2003/wordml" condition: $a at 0 and $b } rule type_is_msofficemhtml { meta: scan_modules = "EXPLODE_VBA" file_type = "mhtml" strings: $a = "MIME-Version: 1.0" $b = "This document is a Single File Web Page, also known as a Web Archive file" condition: $a at 0 and $b } ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: jshlbrd also has a pull request for a module that does VBA extraction. My module in addition does file extraction (explode) and metadata for forms. Otherwise, they are similar.
explode_vba.py is a scanning module to explode the VBA inside objects. It uses olevba from decalage's oletools to perform the object extraction.
Quick note: Olevba has some object explosion built into the code. For example, it can look inside DOCX files for VBA. I tried to stay away from explosions done inside the decalage code and instead rely on Laika BOSS for explosion. To continue with the previous example, Laika BOSS will explode the ZIP and then this module will pick up the compressed VBA object and extract the macro from it.
Input are OLE document files and output is metadata and extracted objects. Most supported formats listed at https://bitbucket.org/decalage/oletools/wiki/olevba which use olevba's VBA_Parser module willw work as long as it is also configured in dispatch.yara
Here are my notes added to decalage's "Supported formats"
Output: Extracted and decompressed VBA objects (macro and forms). Module also adds basic metadata about the object when possible.
Below I use a Office 2007 Word sample (zip). I run olevba against the file which uses its native exploding code and shows that there are macros and forms. I then show the scan output from EXPLODE_VBA which shows the collected metadata. This is followed by examples of the actual extracted files.
By running the EXPLODE_VBA module in conjuction with EXPLODE_ZIP and EXPLODE_OLE, the macros are successfully extracted.
-> Metadata collected from Module
-> Showing the files exploded and their filenames
Dispatch.yara change to make this module run against OLEs, Word2003 XML, and MHTML.