When it comes to exploits, it’s particularly important to understand how macros are used in Microsoft Word. <\/p>\n\n\n\n
In this software suite, macros are written in scripting languages (VBA<\/a> and Excel 4.0.)<\/a> These languages allow direct access to Windows APIs, which makes them incredibly powerful for both legitimate use and, unfortunately, for hackers. <\/p>\n\n\n\n Keep reading to learn about: <\/p>\n\n\n\n Let\u2019s dive in! (Or jump straight to the case study<\/a>). <\/p>\n\n\n\n To better understand potential dangers behind these automations, let’s consider how a common VBA macro works. The code snippet below converts a document into a PDF: <\/p>\n\n\n\n This macro verifies if the document has been saved, retrieves the current path and filename, saves it as a PDF, and notifies the user upon completion. To achieve this, the macro interacts with deep system components: <\/p>\n\n\n\n Of course, the methods mentioned above aren\u2019t malicious. But they showcase how macros give access to system resources. Hackers can exploit this to manipulate files, deploy malware, and perform several system-level actions: launch processes, access network resources and run commands. <\/p>\n\n\n\n In our experience in dealing with macros in real-world attack scenarios, hackers typically use them to: <\/p>\n\n\n\n For instance, WMI allows instrumented components to share system data and notifications. Since hackers can directly interact with it through macros, they can gather information about the execution environment, like the OS version and locale. This enables them to configure malware to run with the correct parameters or determine if the system is suitable for miners. <\/p>\n\n\n\n As you can see, macros offer hackers a powerful way to exploit legitimate tools. What makes the issue even worse is the high number of workstations in corporate environments vulnerable to this attack vector. Let’s explore some history to understand how we arrived at this situation. <\/p>\n\n\n\n Popularity of macros as an infection mechanism is closely tied to Microsoft Office \u2014 a software suite that is used<\/a> in 83% of enterprise companies. <\/p>\n\n\n\n Since early versions, the productivity tool’s power users relied heavily on macros to automate their routine \u2014 and hackers took note of this attack vector. <\/p>\n\n\n\n The first well-known case of malware exploiting Word macros was the “Concept<\/a>” virus from 1995. <\/p>\n\n\n\n It demonstrated proof of concept that macros could be used to execute malicious code within Word documents. <\/p>\n\n\n\n From there, In the late 90s and early 2000s, macro viruses surged. This prompted Microsoft to take action and improve security. Microsoft disabled macros support by default starting with Office 2007, introduced the “Trust Center” for more granular control of security settings, and now requires to save files with specific extentsions to run macros (.docm, .xlsm, or .pptm). Despite all this, hackers are still able to successfully exploit this attack vector. <\/p>\n\n\n\n Today, many malware families use macros in the early stages of the infection chain. You’ll likely encounter macros with malware like Nanocore<\/a>, Smoke Loader<\/a>, RedLine<\/a>, ZLoader<\/a>, and Lokibot<\/a> or any other malware that can spread through maldocs. <\/p>\n\n\n\n (Read about analyzing a 64-bit version of ZLoadre in ANY.RUN)<\/a> <\/p>\n\n\n\n As we mentioned earlier, almost all macros you\u2019ll encounter in malicious documents today are written in either VBA or Excel 4.0 and it\u2019s important to understand the difference between how each is deployed. <\/p>\n\n\n\n You’ve likely noticed from the example at the start of the article that VBA is a standalone, fully-fledged language with its own syntax, and the same goes for Excel 4.0 macros. Because of this, finding macros is just part of the challenge \u2014 you also need to understand what they do. Unfortunately, at this stage, you’ll encounter a roadblock \u2014 obfuscation. <\/p>\n\n\n\n (Read our in-depth guide to analyzing .NET obfuscators<\/a>) <\/p>\n\n\n\n The challenge in studying macros lies not only in the need to know the language in which they’re written but also to deobfuscate the code. All macros you will come across in the are heavily obfuscated. Like this example<\/a> from an infected Word document:<\/p>\n\n\n Malicious macros are almost always obfuscated and hard to analyze statically. <\/p>\n\n\n\n But thankfully, deobfuscating macro code itself isn’t necessary in many cases. After all, your primary objective during analysis should be to understand the code’s functionality within the system. You can achieve this using various analysis tools. For instance, ANY.RUN interactive malware sandbox offers a script tracer<\/a> that shows, step-by-step, the actions the program executes on the system.<\/p>\n\n\n\n\n\n
What makes MS Office macros dangerous? <\/h2>\n\n\n\n
Sub SaveDocumentAsPDF() \n\n Dim filePath As String \n\n Dim pdfPath As String \n\n \n\n If ThisDocument.Path = \"\" Then \n\n MsgBox \"Please save your document before exporting to PDF.\", vbInformation \n\n Exit Sub \n\n End If \n\n \n\n filePath = ThisDocument.FullName \n\n \n\n pdfPath = Replace(filePath, \".docx\", \".pdf\") \n\n \n\n ThisDocument.ExportAsFixedFormat OutputFileName:=pdfPath, _ \n\n ExportFormat:=wdExportFormatPDF, _ \n\n OpenAfterExport:=False, _ \n\n OptimizeFor:=wdExportOptimizeForPrint, _ \n\n Range:=wdExportAllDocument, _ \n\n Item:=wdExportDocumentContent, _ \n\n IncludeDocProps:=True, _ \n\n KeepIRM:=True, _ \n\n CreateBookmarks:=wdExportCreateNoBookmarks, _ \n\n DocStructureTags:=True, _ \n\n BitmapMissingFonts:=True, _ \n\n UseISO19005_1:=False \n\n \n\n MsgBox \"Document has been saved as PDF: \" & pdfPath, vbInformation \n\nEnd Sub <\/code><\/pre>\n\n\n\n\n
What can hackers do with macros? <\/h2>\n\n\n\n
\n
History of malicious macros <\/h2>\n\n\n\n
Types of malicious macros <\/h2>\n\n\n\n
\n
\n
Why is it difficult to analyze malicious macros? <\/h2>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/02\/1-4-1024x621.png\")