In order to make analysis tougher, your typical attacker will obfuscate the macro code in some way. Attackers will also set up other road blocks to slow you down in your analysis. We’ve seen that attackers will password protect some portion of the document, whether it is the macro or something else.
There are ways to get around these password protections. A simple google search will bring back tons of results, but which will actually work?
The document we’ll be working on in this post was a bit unique. It downloads an executable that Any.run identified as Formbook. How it gets to that point is kind of interesting. It turns out that you can add links to a spreadsheet and when you “Enable Content”, the document will try to reach out to those URLs and download things.
Round 1: Me – 0 Document – 1
First things first. The normal analysis I do on documents didn’t yield any results. OfficeMalScanner didn’t dump out any macros at all. If you open the document and go to VIEW -> Macros -> View Macros you still won’t see anything. And if you really want to make sure that your eyes aren’t deceiving you, hit ALT+F11 and you’ll just see the three worksheets and a whole lot of empty space where there are no macros. Just like the tools said.
Right-click on the sheets, choose ‘Project Properties’ and nothing is locked or password protected at all.
Round 2: Me – 0 Document – 2
Next, let’s try treating the .xlsx document as a .zip file. We can do this by simply changing the extension to .zip, extracting the contents, and we should be able to explore all of the .xml files and see what’s going on under the hood.
Nope. Here’s what we get instead. Dig all you want through these folders/files, you won’t find anything useful.
Round 3: Me – 1 Document – 2
After a hefty bit of googling and poking around at the document, you would get directed to this part of the document. We can see that this is where you would protect the document with a password. If you click on ‘Unprotect’, the password dialogue box will pop up.
And all we would need is that darn password. Aside from using some sort of password cracker (which, admittedly, would be fun), I tried a method that added a new macro to the document which will brute force the password and present it in a dialogue box. And it actually worked!
Yeah, I was surprised, too.
So, open the document and hit ALT+F11 to open up Microsoft Visual Basic for Applications. Double-click on Sheet1(????1) to get a blank macro going. Copy and paste the code below into the macro window thingy:
Sub PasswordBreaker() Dim i As Integer, j As Integer, k As Integer Dim l As Integer, m As Integer, n As Integer Dim i1 As Integer, i2 As Integer, i3 As Integer Dim i4 As Integer, i5 As Integer, i6 As Integer On Error Resume Next For i = 65 To 66: For j = 65 To 66: For k = 65 To 66 For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66 For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66 For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126 ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _ Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _ Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) If ActiveSheet.ProtectContents = False Then MsgBox "One usable password is " & Chr(i) & Chr(j) & _ Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _ Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) Exit Sub End If Next: Next: Next: Next: Next: Next Next: Next: Next: Next: Next: Next End Sub
It should end up looking like this. All you need to do is run the macro by pressing ‘play’ or hit F5.
Once you do…
… you find out the password used to protect the worksheet! Plus, it does the added job of unprotecting the worksheet for you. You’d have to save the document at this point to keep the worksheet unprotected. Or you could choose to discard the changes in order to test out the password.
Round 4: Me – 2 Document – 2
With the document worksheets now unprotected, we can take the document, change the extension from .xlsx to .zip, extract the contents, and analyze the files therein. Doing so gives us something that looks like this:
I highlighted the \xl\externalLinks\_rels subfolder because that’s where we’re going to find the URL that downloads the executable.
And this is why there were no macros. Even though enabling content just screams, “You’ve got macros!” it doesn’t necessarily mean that is the case.
The rest of that unzipped folder structure still deserves more investigating. By poking around I did find an easier way to find the URL. If you look at the Info tab of the document, you can see a button (?) called “Edit Links to Files”. Click on it and you’ll see the URL right there.
Now I’ve seen other malicious documents where the base64 encoded string is sitting in the document properties. So this location is definitely a place to look for strange things. But there are no guarantees that strange things will always be there.
As always, thanks for reading!