In this section, we will be looking over a macro enabled malicious excel file using the REMnuxVm. Excel files are like “zipped” directories in a way, meaning they contain many different files in them in order to have all the info we can see. So to start things of, lets unzip the .xlsm file(m stands for macro enabled).

Untitled

One interesting thing to notice on first sight is the xl/vbaProject.bin indicating the use of some kind of Visual Basic macro. And always keep in mind that there is always more than meets the eye when coming to excel work books

Moving forward, [oledump.py](<http://oledump.py>) can be used in order to carve out OLE(**Object Linking and Embedding)** contents from the sample file.

Untitled

[Oledump.py](<http://Oledump.py>) will arrange what it finds for us, assign to each different finding a different Index. In this case there is only 1 vba file embedded, and it was assigned the index A. Looking more into the output of the tool, next to A3, there is a M, indicating that this stream has a Macro embedded into it, something to look out for. To look into that specific stream, lets use the following command.

Untitled

So basically we are asking oledump to give us the contents of stream 3 (-s 3), in a strings format (-S). So like any other strings extraction of a binary, it is time to manually look through them and see if anything is of interest.

Untitled

From the looks of it, the binary is making use of certutil binary to decode the encoded encd.crt and pass it as an argument to a powershell script named run.ps1. Next, we are going to try to recover the VBA macro from the excel file, again using [oledump.py](<http://oledump.py>) but with a different argument this time, like so.

Untitled

If we read down the code we can see a function that takes a bunch of random characters from an array and builds strings out of that, a call to CreateHTTPObject so it looks like it is trying to reach out to a specific web URL using an HTTPObject to do so, it then opens a HTTP GET request to a hardcoded URL in order to download a .crt file which then decodes with the use of certutil putting the outputs in a powershell script file, which the executes using the 32bit version of powershell. Among those things, there are also some, by the looks of it, base64 encoded messages.