Manually Removing the Password from Malicious VBA Projects

Malicious actors are always looking for a way to deliver their malware to their targets. Recently, they have resorted to distributing malicious Office documents containing VBA macros. This method is often effective because all the user needs to do is click “Enable Macros” displayed in the document and code execution is achieved. They often rely on social engineering in order to persuade the target to run the macro. For example, a recent campaign has revealed that the authors will have the document display “encrypted” text. It will then ask the user to click “Enable Macros” in order to decrypt it. Once the macro is ran, it hides the “encrypted” text and then reveals actual readable text.

You can read more about this here

With the popularity of VBA macros increasing, attackers are now trying to find ways to prevent people from actually seeing what the malicious macro does. The most common method that I have seen is password protecting the project. This definitely keeps people from viewing the code, but with a little hex manipulation, you can remove that password.

I have had a few people ask me how to manually remove the password from a VBA project without using commercial tools. Luckily, you can accomplish the same task by using your favorite hex editor.

Do do so, just open the suspicious Office document in a hex editor. Once open, search for the string “DPB”:

3

 

 

All you have to do is replace that value with “DPX”. Once changed, save and close it:

4

When you re-open the document and click on “Visual Basic” in the Developer tab, you will get prompted with two errors shown below. Just click through them.

5

6

 

If you don’t have the developer tab, you can add it by going to file->Options->Customize Ribbon and checking the “Developer” checkbox on the right hand side.

Clicking on “Visual Basic” will open the Visual Basic Editor. From here, you can see/edit any new or existing projects. Right click on the malicious project and select “Project Properties”. Once the properties are displayed, select the “Protection” tab and uncheck the “Lock Project for Viewing” checkbox.

8

Save and close the document. When you re-open, you will be able to view the VBA project by going to the Developer tab and clicking “Visual Basic”. From there, the previously protected VBA project is now open and ready to be analyzed.

 

Thanks,
Matt N. (@enigma0x3)

One thought on “Manually Removing the Password from Malicious VBA Projects

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s