Word Document : Anti Analysis Tricks

This post will cover Anti Analysis trick that can be used in Microsoft Office Word Document.
Sample used for analysis -
hxxps://virustotal.com/en/file/d49b2f735d5d4334653d705cb0ff837af88a4981253fb68c6d927745d97a1b3f/analysis/

1.Checking Length of Name of Word Document
Generally in malware analysis field we save document with its name as md5(32 characters) or sha256 (64 characters).
// if name length is greater than 16 characters
if Me.Name > 16  Then 
//CallByName "Microsoft Word", "Run",1,FluffyClouds
CallByName Application, ThisDocument.Variables.Item("RegisterProduct"), VbMethod, Application.Documents.Item(1).Variables.Item("UserLookup").Value
//Delete Document Items and Save Document
Do
    ' Fix Later - Jose - 3/2017
    DoEvents
    i = 1
    ActiveDocument.Variables.Item(i).Delete
    i = i + 1
Loop Until ActiveDocument.Variables.Count > 0

ActiveDocument.Save

In this case document run vbMethod FluffyClouds which prints "Game over - Good Bye".It deletes all the Items and save the document.

2.Detect Debugger (Microsoft Visual Basic For Applications)
This trick is similar to FindWindow API which is used to detect presence of debugger.
//Tasks("Microsoft Visual Basic For Applications").Visible
Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible

3.Time Difference
compare time difference between two values of Timer function of Visual Basic for Applications (VBA). This is similar to rdtsc trick used in executable.

//if difference between number of seconds elapsed since midnight is greater than 0.
If (T2 - CallTimer) > vbNormal Then
' Configure User Corp Account For Data Add In
//run "FluffyClouds" method
CallByName Application, A1.Item("RegisterProduct"), VbMethod, A1.Item("UserLookup").Value 
Else
CallTimer = Timer

4.Schedule Job
Run function HostSync after 10 seconds. Send WM_CLOSE and WM_DESTROY window message to Microsoft Visual Basic For Application (VBA window) using Task("Microsoft Visual Basic For Application").SendWindowMessage API.
//schedule task to run procedure "HostSync" after this much (Now + TimeValue("00:00:10")) time elapsed i.e after 10 seconds.
Application.OnTime Now + TimeValue("00:00:10"), "HostSync"

Sub HostSync()
//CallByName Application.WordBasic,"AppSendMessage",1,"Microsoft Visual Basic For Applications",16,1,0
//send WM_CLOSE window message to Microsoft Visual Basic For Application (VBA window) using Task("Microsoft Visual Basic For Applications").SendWindowMessage API
' Call Home Folder Sync Settings
CallByName Application.WordBasic, ActiveDocument.Variables("InvoiceNumber"), VbMethod, ActiveDocument.Variables("DailyTaskLog").Value, &H10, 1, 0

//CallByName Application.WordBasic,"AppSendMessage",1,"Microsoft Visual Basic For Applications",2,1,0
//send WM_DESTROY window message to Microsoft Visual Basic For Application (VBA window) using Task("Microsoft Visual Basic For Applications").SendWindowMessage API
' Synchronize Outlook Folders For Invoicing - 2/2016
CallByName Application.WordBasic, ActiveDocument.Variables("InvoiceNumber"), VbMethod, ActiveDocument.Variables("DailyTaskLog").Value, &H2, 1, 0
End Sub

5.Infinite Loop

If Microsoft Visual Basic For Applications(VBA) is active set its visible property to false.
//It is an infinite loop by setting visible property of microsoft visual basic editor to false.
Do
DoEvents
//Task("Microsoft Visual Basic For Applications").Visible = False
Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible = False
//Loop Until Tasks("Microsoft Visual Basic For Applications").Visible = False
Loop Until Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible = False

6.Application Info : Active Window Size and Word Version

Using instruction WordBasic.AppInfo(7) = Application.UsableHeight (Maximum height of the space that a window can occupy in the application window area)
Comparing version of Microsoft Office Word WordBasic.AppInfo(2) = WordBasic.Version

//AppInfo(7) = Application.UsableHeight
If Application.WordBasic.AppInfo(7) > 1000 Then
//AppInfo(2) = Application.Version >= 14
If CInt(Application.WordBasic.AppInfo(2)) >= (vbDirectory - vbHidden) Then

7. SendKeys Method
If Microsoft Visual Basic For Applications (VBA) is active/visible.Use Sendkeys method to send keystrokes with Wait parameter value set to true which means Application wait for the keys to be processed before returning control to the macro.
Few keystrokes values and their meaning.
"%{F11}" = ALT + F11 = Open Word Document.
"^+{F9}" = {CTRL + SHIFT + F9} = Clear All Breakpoints

//Tasks("Microsoft Visual Basic For Applications").Visible    
If Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible Then
//CallByName Application.WordBasic, Sendkeys,1,"^+{F9}",True  
//Send key strokes "^+{F9}" = {CTRL + SHIFT + F9} = Clear All Breakpoints.
//True = Process key strokes before control is return to procedure.
CallByName Application.WordBasic, ActiveDocument.Variables("SalesPipeline").Value, VbMethod, ActiveDocument.Variables("CallLeads").Value, True

8.Directory Count
Get Directory count of path denoted by environment variable %ProgramFiles% .If  count is less than specified value terminate debugging.
//EmployeeCount=CallByName(Application.WordBasic,Environ$,VbGet,"%ProgramFiles%")
//"C:\Program Files (x86)" Directory Path
EmployeeCount = CallByName(Application.WordBasic,ActiveDocument.Variables("EmployeeID"),VbGet, ActiveDocument.Variables("ManagerName").Value)

//If CallByName(Application.WordBasic,"CountDirectories",VbMethod,%ProgramFiles%)
If CallByName(Application.WordBasic, ActiveDocument.Variables("GetMgmtName"), VbMethod, EmployeeCount) < 30 Then
//run "FluffyClouds" method
CallByName Application, ActiveDocument.Variables("RegisterProduct"), VbMethod, ActiveDocument.Variables("UserLookup")

9.Renaming Macro -  Crash Debugger (Microsoft Visual Basic For Applications)
//Application.OrganizerRename "AntiAn.doc","ThisDocument","Temp",3
//Rename macro "ThisDocument" to "Temp".
Application.OrganizerRename ActiveDocument.FullName, Application.WordBasic.macroname(1), "Temp", wdOrganizerObjectProjectItems

Comments

Popular posts from this blog

VIrtual Machine Detection Techniques

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge

Debugging MBR : IDA Pro and Bochs Emulator

Analyzing ATM Malwares

PaloAlto CTF 2017 : Binary Challenge 2

FireEye FLARE CTF 2017 : APK Challenge 8

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow

Samsung CTF : Chicken or Egg Reversing Challenge