Disclaimer

Wednesday, July 18, 2018

ActiveX Control & UserForm Technique of Malicious Macro Office File Demystify

ActiveX Control Object are known technique used by malware writer to launch malicious VBA macro code automatically like the common Macro function Document_Open() and by enabling the ActiveX content. Today I want to share how this techniques used by macro malware I found in awesome website malware-traffic-analysis . The said macro file uses ActiveX Control Object with combination of userform textbox to hide its code from typical macro analysis technique.

At first run, the office document file crashes and when you open it again you can tell right away that the file is suspicious one.

fig. 1 - the malicious document


During my initial analysis, I tried to removed the page color of the document to check if it hide some interesting stuff or hint in analyzing this macro. and yes there was, It contains an ActiveX Control Object that hide in original document because it is also color blue.

fig. 2 - the hidden ActiveX Control Object


So I've checked the VBA Code in developer menu and my initial analysis is right, The macro used Sub InkPicture1_Painted() ActiveX Control function to trigger its malicious code.

fig. 3 - ActiveX Control Function


but the interesting stuff will not end here, because the file also used UserForm to execute its malicious VBA macro code. At first look it seems like the form needs a human interaction to execute the suspicious function  "sidfi()" declared inside the private sub function TextBox3_Change(). this function will be triggered if there are some changes happen to TextBox3 values.

fig. 4 - the userform and its trigger

fig. 5 - I modified the textbox3 to test and trigger the interesting function

if that is case, how does the macro automatically execute its code if the textbox3 need to have some changes before it trigger? the answer is in the Sub InkPicture1_painted() function.The function trigger test3 function with parameter "toto".

Demystifying the macro code flow:

The "test3" function will put "toto" string on textbox3 if the UserForm1.Label1 is equal to 1.
since the changes happened to the textbox3 sidfi() func. will be trigger that are responsible in decoding the encoded string using the decoding string table in textbox1 and constant value of 5. below is the execution of its code.


fig. 6 - the macro code flow

and as a payload it will execute 2 powershell command to download trickbot to the infected machine.

fig. 7 - the malicious powershell


Conclusion

In this post shows how effective the ActiveX Control Object and Userform technique to lure users,  infect a machine and bypassed AV detection's. It also make the typical macro analysis, emulation and etc. more tricky to analyze.


"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...