1 00:00:00,510 --> 00:00:04,420 Hello and welcome to a new session in this session. 2 00:00:04,440 --> 00:00:11,860 We are going to look at the principles of analyzing VBA macro script. 3 00:00:12,660 --> 00:00:16,980 So in this video, we will talk about the principles first. 4 00:00:19,160 --> 00:00:28,790 The learning objectives for this video is what media functions to focus on, review the workflow for 5 00:00:28,790 --> 00:00:30,260 script analysis. 6 00:00:31,350 --> 00:00:42,330 And analyze militias will be worked through visual basic applications are also known as Vrba, essentially 7 00:00:42,330 --> 00:00:49,830 visual, basic, now visual, basic can be embedded inside a Microsoft Office document. 8 00:00:50,460 --> 00:00:59,620 And that's what makes Microsoft's document a good choice for malware authors, because this we a basic 9 00:00:59,800 --> 00:01:04,200 application is actually a programming language, therefore a mobile. 10 00:01:04,270 --> 00:01:07,350 They can basically write code. 11 00:01:07,950 --> 00:01:17,760 They will allow the document to write to the file system or to open a network connection or to execute 12 00:01:17,850 --> 00:01:19,050 other programs. 13 00:01:20,100 --> 00:01:28,440 So now I'm going to outline a demo for you, how you can open and view macros in office, document. 14 00:01:29,850 --> 00:01:36,180 You should use a virtual machine to open the document with Microsoft Words two or one three. 15 00:01:37,540 --> 00:01:44,830 After opening, you will see the screen here and there will be a button here, and it will content do 16 00:01:44,830 --> 00:01:47,650 not typically do any more content. 17 00:01:48,670 --> 00:01:53,500 Now, notice that the five chosen is Huguet three, the Newseum. 18 00:01:53,950 --> 00:01:58,480 And this is a far reaching down from the earlier lesson from the PDA. 19 00:01:58,480 --> 00:02:10,690 Philco important that PDA after you have opening click on View and then click on New Macross. 20 00:02:12,250 --> 00:02:22,420 You will then see a dialogue going across and in the here you will see on the list it will be a cruise. 21 00:02:23,230 --> 00:02:29,410 In this example, you have three or two open document open and employ. 22 00:02:30,280 --> 00:02:38,800 So select the macro if you want to view it and click on EDIT, you will then open up an application 23 00:02:38,810 --> 00:02:40,180 called Microsoft. 24 00:02:40,330 --> 00:02:43,550 We showbizzy for application and show you the code. 25 00:02:44,350 --> 00:02:45,780 So this is what he looks like. 26 00:02:46,420 --> 00:02:53,520 Sometimes, however, you will not be able to open it because some files are password protected. 27 00:02:53,560 --> 00:02:57,890 So in those cases, you will not be able to view this unless you have a password. 28 00:02:58,690 --> 00:03:04,870 So if there is no password, then you can just open it in this manner and we will directly. 29 00:03:05,620 --> 00:03:09,970 So now I will go through the walkthrough with you, show you how to do it. 30 00:03:11,090 --> 00:03:22,870 I have here my Whicher machine running Windows seven 64 with and inside on this folder. 31 00:03:22,870 --> 00:03:32,160 I will be you three, which we have extracted from this file earlier, a PDF file from an earlier lesson. 32 00:03:33,580 --> 00:03:39,010 So the first thing I do is to make a copy of this and then I make use of this. 33 00:03:39,820 --> 00:03:49,570 And this file we have discovered from the earlier lesson is open office XML format, meaning it is a 34 00:03:49,640 --> 00:03:52,410 U.S. format. 35 00:03:52,420 --> 00:03:57,350 So we can just rename it as we G3 the. 36 00:04:00,800 --> 00:04:06,430 So Amnesia's klymenko inside, so now we are going to open it correctly. 37 00:04:07,490 --> 00:04:12,850 And make sure you're in the washing machine, do not open inside your hoist machine. 38 00:04:14,870 --> 00:04:17,300 You will now see this button and it will. 39 00:04:18,110 --> 00:04:23,270 Do not click on it, because if you click on this and then the macro is automatically. 40 00:04:24,300 --> 00:04:33,960 Instead of clicking on this, you can view the macro, we are executing it, click on View and you notice 41 00:04:33,960 --> 00:04:37,420 that I'm using Microsoft Office two zero one three. 42 00:04:38,700 --> 00:04:43,380 So after clicking on View, click on macros and in Select View macros. 43 00:04:44,890 --> 00:04:51,850 And here is a list of all the necklace, there will be a script, you can click any one of these and 44 00:04:51,850 --> 00:04:53,950 click edit and you will open for you. 45 00:04:53,950 --> 00:05:01,360 For example, if I select the last one click and he will then open up, we shall be looking for applications 46 00:05:01,600 --> 00:05:02,100 and show. 47 00:05:03,460 --> 00:05:04,570 So these temeka. 48 00:05:10,370 --> 00:05:20,480 So this is how you can open and view a macro from the office document, it is now heading back to our 49 00:05:21,530 --> 00:05:25,060 power points right now, VBA functions. 50 00:05:25,910 --> 00:05:31,700 The next thing they're going to look at, and these are the four important ones, which is obviously 51 00:05:31,700 --> 00:05:38,810 used by the authors when they are trying to use Microsoft Office to launch some kind of her malware 52 00:05:38,810 --> 00:05:39,250 attack. 53 00:05:40,070 --> 00:05:47,000 The first is how to open or do I think these two functions as being open. 54 00:05:47,010 --> 00:05:55,530 So whenever the Microsoft document is open, these two functions who automatically run and execute whenever 55 00:05:55,760 --> 00:05:56,510 we specify. 56 00:05:57,800 --> 00:06:04,970 And then there's also other clues, other places when the document is close, this thing execute. 57 00:06:05,720 --> 00:06:09,650 So if you close the document, you whatever is specified. 58 00:06:10,310 --> 00:06:16,440 Next on is CSIR function, sacia function returns character from ASCII value. 59 00:06:16,760 --> 00:06:25,080 So normally it would be a ASCII consigliere for alphabet, for character, so dysfunctional convert 60 00:06:25,280 --> 00:06:31,420 that numeric representation of an alphabet back into the original alphabet. 61 00:06:32,210 --> 00:06:37,870 And then sometimes the number of the numeric representation may not be so simple. 62 00:06:38,180 --> 00:06:42,680 It may be for the obfuscatory, some kind of mathematical expression. 63 00:06:43,640 --> 00:06:52,880 So the authors always use this function in order to obfuscate the data, the strings in the script so 64 00:06:52,880 --> 00:06:54,740 that it is difficult for analysis. 65 00:06:56,120 --> 00:06:59,090 And then the next one is Shell, the shell function. 66 00:06:59,400 --> 00:07:00,260 It's a good program. 67 00:07:00,260 --> 00:07:11,000 So check function is also often used by others to run operating system functions and you can also execute 68 00:07:11,810 --> 00:07:13,030 shell scripts. 69 00:07:13,550 --> 00:07:15,950 So it's a very powerful function. 70 00:07:17,240 --> 00:07:24,200 So these are the four which you should be aware of, because they are always being used in malicious 71 00:07:24,200 --> 00:07:35,150 documents for the files and sometimes the out the need to use some kind of function, which is not available 72 00:07:35,540 --> 00:07:37,920 from the macro script with a script. 73 00:07:38,390 --> 00:07:42,370 So in those cases, then you have to declare this import. 74 00:07:42,860 --> 00:07:48,190 So it is how you declare an import using VBA, which are busy. 75 00:07:48,920 --> 00:07:55,950 So the author would declare what function they want to import in this case can be put aside. 76 00:07:56,360 --> 00:07:57,810 And where does it come from? 77 00:07:57,830 --> 00:08:03,850 It comes from the user to read to the file, which is a systems, the same thing. 78 00:08:03,860 --> 00:08:12,480 It is this open process and it comes from country to the same if I process memory and repossesses memory. 79 00:08:13,190 --> 00:08:18,170 So all these for here are often used for injecting processes. 80 00:08:19,540 --> 00:08:27,420 And this is one example which is being used, this is a macro script which will try to open a track 81 00:08:27,820 --> 00:08:30,490 and create a process, open a process. 82 00:08:30,700 --> 00:08:32,980 So you're running again, right? 83 00:08:33,130 --> 00:08:39,970 Inject some code into the process so that you whatever is injected will run inside and in that process. 84 00:08:40,300 --> 00:08:42,130 So this is how you can hide processes. 85 00:08:43,690 --> 00:08:46,810 So this is the power of macro's. 86 00:08:47,010 --> 00:08:50,640 We be basic across Rebekah's. 87 00:08:51,130 --> 00:09:00,670 So this is why you can see the this is a choice for many authors to launch a military attack, that 88 00:09:00,670 --> 00:09:02,830 is to use Microsoft Office documents. 89 00:09:03,670 --> 00:09:07,600 Next thing is, we want to have a revision of the obfuscation. 90 00:09:08,120 --> 00:09:15,610 We've already seen this before when we were studying PDF files, analysis of bedfast. 91 00:09:16,150 --> 00:09:23,640 So in Innisfail's, scripts are normally obfuscated so that it makes it difficult for analysis. 92 00:09:24,160 --> 00:09:29,650 And these are the four common areas where Scribd can be obfuscated versus formatting. 93 00:09:30,370 --> 00:09:36,550 Formatting is to remove all the waste pieces and also the formats like taps and so on. 94 00:09:36,850 --> 00:09:38,800 So that is difficult to read. 95 00:09:39,070 --> 00:09:48,220 The whole could be denvir meaningless block of code next year to inject extraneous means to inject unnecessary 96 00:09:48,640 --> 00:09:50,100 expressions online. 97 00:09:50,120 --> 00:09:57,930 So instructions in order to make the code longer and difficult to understand now in order to defeat, 98 00:09:57,940 --> 00:10:07,650 as soon as you have to look for all those instructions which are only used once and remove them now 99 00:10:07,690 --> 00:10:14,440 for formatting in order to defeat formatting, formatting, obfuscation, we can use prettify, as I 100 00:10:14,440 --> 00:10:15,160 explained earlier. 101 00:10:16,120 --> 00:10:24,700 Next, data obfuscation that our position is where the malicious author takes a stream, for example, 102 00:10:24,700 --> 00:10:33,220 a while and then breaks up into individual characters and then use complicated functions to make it 103 00:10:33,220 --> 00:10:40,600 difficult to understand when those functions are concatenated and run together and the original string 104 00:10:40,600 --> 00:10:41,980 will be recreated. 105 00:10:42,520 --> 00:10:50,580 The same thing is true for creating temporary file pass or other baff or even file names or even instructions. 106 00:10:50,590 --> 00:10:52,940 All those can be data of scattered. 107 00:10:54,480 --> 00:11:03,150 And the fourth one in the arsenal for the authors is substitution, substitution is ready never to make 108 00:11:03,170 --> 00:11:13,530 a variable name into a meaningless random names so that when the analyst looks at it, no one else will 109 00:11:13,530 --> 00:11:17,640 not know what the variable is supposed to hold or what is supposed to do. 110 00:11:18,360 --> 00:11:25,140 And we have seen before that the way to defeat this is to look for the meaning of the usage of those 111 00:11:25,140 --> 00:11:27,840 variables and then rename them accordingly. 112 00:11:28,980 --> 00:11:36,540 So these are the revision of four school education and this is also the same thing had seen before. 113 00:11:36,880 --> 00:11:40,950 Whenever the cryptanalysis, we want to look for indicators. 114 00:11:41,460 --> 00:11:46,290 So the indicators, for example, you should be looking for you are healthy. 115 00:11:46,290 --> 00:11:50,460 Sign the document or the Melva or the script. 116 00:11:51,090 --> 00:11:54,600 This you are Elsah typically used for second stage. 117 00:11:55,920 --> 00:12:02,970 So the first stage will be the document and then the document will run some script in trying to reach 118 00:12:02,970 --> 00:12:08,880 out to some Yahel to download for the bill for the malicious binary files. 119 00:12:09,750 --> 00:12:17,450 Next thing to look out for months and every six months, you should be careful on these comments so 120 00:12:17,470 --> 00:12:23,500 these companies can further run power shelves and publishers are very powerful. 121 00:12:25,170 --> 00:12:26,790 Next will be findings. 122 00:12:27,450 --> 00:12:32,690 You should be looking out for filenames as well, because Farnham's can give you a clue as to what is 123 00:12:32,700 --> 00:12:40,470 the new name of the second stage, which is downloading from the Internet, or why is the name of the 124 00:12:40,470 --> 00:12:49,080 bar the part where the malicious document or malicious files are being copied to and hidden in the operating 125 00:12:49,080 --> 00:12:49,530 system? 126 00:12:50,490 --> 00:12:53,010 So these are these three things to look out for. 127 00:12:53,940 --> 00:13:04,290 Now there's a tool that is called Wabo Monkey and whoever monkey is available in remarks and by the 128 00:13:04,290 --> 00:13:07,230 monkey can emulate VBA engine. 129 00:13:07,560 --> 00:13:16,200 When you use a monkey like this wee wee monkey and nimura document that you want to analyse and you 130 00:13:16,200 --> 00:13:25,230 have a monkey who executes emulating the running of the web and in trying to look for malware artefacts 131 00:13:25,500 --> 00:13:32,850 and then come up with a nice report to tell you what the VBA macro is trying to do. 132 00:13:36,360 --> 00:13:42,990 And you can also do string the obfuscation and replacement, so if you run with a dash, dash the F 133 00:13:43,650 --> 00:13:48,090 option, you would always get strings and show you the original text. 134 00:13:48,810 --> 00:13:54,030 And if you run, you dash to reveal you replace those the obfuscated strings in the. 135 00:13:57,010 --> 00:14:00,460 Thank you for watching and that's all for this video. 136 00:14:00,670 --> 00:14:02,220 I'll see you in the next one.