Trickbot Analysis – Part 2: Locked Projects in Documents

Part 1: An analysis of the extracted macros.

Part 2: An analysis of the locked document.

Part 3: An analysis of the dropped javascript file.


When analyzing a malicious document, it can be useful to make use of Microsoft Word’s built-in Microsoft Visual Basic for Applications. This allows you to investigate the macros and step through them in order to see how they work. However, sometimes you see this:

lockeddoc03
\sad trombone

Many people know that you can just toss the .doc into a hex editor, search for the string DPB, replace it with DPX (or something), save it, open the document, ignore the errors and you should be good to go.

That doesn’t happen for every document. In the case that it doesn’t work, here is another method. All credit goes to Vishal Thakur’s blog that describes how to do this. This method takes advantage of the fact that .docm/.docx files can be treated like a .zip file. We will change the .docm file to a .zip, find the vbaProject.bin file, change DPB to DPX, save it, change the .zip file back into the .docm, make the project available for viewing, and we will be good to go again.

Step 1 – Change file extension of .docm/.docx file to .zip

Step 2 – Open the .zip folder, look in another folder called ‘word’, and copy the vbaProject.bin file to another location (in my case, the desktop).

lockeddoc04

Step 3 – Open vbaProject.bin in your favorite hex editor. Search for the string DPB.

lockeddoc05

Step 4 – Change DPB to DPX and save changes.

lockeddoc06.PNG

Step 5 – Copy the edited vbaProject.bin back into the .zip folder. Rename folder from .zip to .docx/.docm. Open document and try to view the macros. You may see errors like below. Just keep clicking through them.

lockeddoc07.PNG

Step 6 – Pressing Alt+F11 is another way to get into Microsoft Visual Basic for Applications. If you do that, you’ll see that you still can’t edit the macros. But right-click on the project, choose Project Properties -> Protection. Uncheck “Lock project for viewing” and either put in a new password of your choosing or make sure that it’s blank. Then save your changes and exit.

lockeddoc08.PNGlockeddoc09.PNG

Step 7 – Re-open the document and investigate the macros at your leisure!

lockeddoc10.PNG

7 thoughts on “Trickbot Analysis – Part 2: Locked Projects in Documents

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s