How to detect most malicious macros without an antivirus

mraptor is a simple tool designed to detect malicious VBA macros in MS Office files, based on characteristics of the VBA code. This article explains how it works, and how it can be used in practice.

Malicious VBA Macros

VBA macros in MS Office files have been used since 1995 to deliver malware, and especially since 2014. See the presentation How to grill Malicious Macros for more information and examples.

Creating malware with VBA macros is very easy, and new versions appear every day. This is one of the reasons why the traditional detection approach based on antivirus signatures fails to detect most waves of VBA malware when they start hitting their targets. It takes several hours for antivirus companies to detect and capture malware samples, generate new signatures to detect them, and distribute the signatures to all the end-users. At that point, it is very likely that a new wave is ready to start, avoiding the previous signatures.

For example, this sample captured today was only detected by 1 antivirus engine out of 53 according to VirusTotal.

VBA Malware - Observations

After analyzing many malicious VBA macros, I noticed the following characteristics:

  • every malicious macro needs to be triggered automatically when the MS Office file is opened or closed. Therefore, it requires at least one of the trigger functions provided by the VBA API (Document_Open, AutoOpen, Document_Close, etc).
  • every malicious macro needs to act on the underlying system. For this, it must drop a malicious payload either as a file, or as a shellcode injected into another process. Then, it must trigger the execution of that payload in some way. Most macros do both, but a few samples manage to delivere their payload with only a write operation or an execute operation.
  • A significant part of the macros observed since 2014 download their payload using HTTP. But this is not always the case: some macros include the payload encoded in the VBA code or in the document. Download actions are not discriminant enough to be used for detection.
  • Some legitimate macros may use the same features as malicious macros, but it is very unlikely that such a macro would combine all of the above.
  • Most malicious macros are obfuscated: they use various techniques in order to hide their behaviour, and any string that would help analysis and detection (i.e. IOCs such as IP addresses, URLs, etc). Luckily, many VBA keywords used by malware for automatic triggers, payload dropping and payload execution CANNOT be obfuscated, because VBA code must appear in clear text. This is because VBA does not provide the ability to run code stored in a string, contrary to JavaScript with eval() and VBScript with Execute.
  • MS Office files can be encrypted, requiring a password to be opened. In this case, VBA macros are NOT encrypted with the rest of the document. Therefore, malicious macros cannot be protected with encryption.
  • It is also possible to protect the access to a VBA project with a password. But this password is only a logical protection enforced by MS Office. The VBA code is not encrypted in the file, and can always be extracted in clear text by third-party tools.

MRaptor - How it works

Based on these observations, I designed mraptor with the following algorithm:

  • Using regular expressions, mraptor looks for three specific characteristics:
    • A: Automatic triggers
    • W: Any write operation that may be used to drop a payload
    • X: Any execute operation
  • The macro is flagged as suspicious if it contains at least an automatic trigger, and a write operation or an execute operation. In short: A and (W or X).

This algorithm may look very basic, but according to my tests so far the detection rate is 100%. I observed a few false positives with legitimate macros.

To be continued...

Soon I will provide more details about the detection algorithm, and how to use mraptor in practice, to scan files and e-mails. Stay tuned.