Metasploit has a module to create Microsoft Word document with macros (.docm): office_word_macro.
Documents generated with this module are not that hard to analyze and detect, because they always use the same VBA code. As I explain in my workshops and trainings, although the “new” Office file format (OOXML) is a ZIP container for XML files, VBA code is still stored inside a binary file (vbaProject.bin) using the “old” file format (Compound File Binary Format, or ole file as I like to call it). This Metasploit module always uses the same vbaProject.bin file (inside the template file), and I explain how to analyze and detect it in this video:
I show YARA rules and ClamAV signatures in this video to detect documents created with this Metasploit module.
Here are the YARA rules:
/* Version 0.0.1 2017/08/20 Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own riskHistory:
2017/08/20: start
*/import “hash”
rule metasploit_office_word_macro_ID_GUID {
meta: description = "Detect Metasploit's office_word_macro unique GUID" strings: $ID = "ID=\"{BB64F33D-3617-FA44-AFC9-63F65314A8A3}\"" condition: $ID
}
rule metasploit_office_word_macro_vbaproject_bin_zipped {
meta:
description = “Detect .docm files created with Metasploit’s office_word_macro exploit”strings: $a = {776F72642F76626150726F6A6563742E62696EED3B0D7853D775E75D3D0959B6B1640C7120908B4CB04C2421C9B22D3B98EADF86D860B0032421C1FA79C222B2A44A4FD8E4A795B1D3928435AC5D33CAD20E42DAA62DEB489AB07EE9BA8976FB42F3B5DF48D3ED4BBA7531C99666FDBE0E4AB32F69B6C43BF7BD275BFE2350BA} condition: $a and hash.md5(@a + 19, 5962) == "e5995aba8551f30cc15c87ee49fb834a"
}
The first rule (metasploit_office_word_macro_ID_GUID) detects the vbaProject.bin file used by this Metasploit module based on the unique ID ({BB64F33D-3617-FA44-AFC9-63F65314A8A3}) stored inside stream PROJECTwm of file vbaProject.bin. This rule must be used with a tool that can scan inside ZIP files, like zipdump.py or ClamAV.
If you can’t use such a tool, you can still use the second rule (metasploit_office_word_macro_vbaproject_bin_zipped) with the standard YARA scanner: this rule looks for the datastream of the compressed vbaProject.bin file inside Office files.
Here are the ClamAV signatures:
Signature to be put inside a .ndb file: metasploit_office_word_macro_ID_GUID:0:*:49443D227B42423634463333442D333631372D464134342D414643392D3633463635333134413841337D22 Signature to be put inside a .hdb file: 1788454ae206101fa6febf99005ce03b:15872:metasploit_office_word_macro_vbaproject_bin
The first signature (metasploit_office_word_macro_ID_GUID) detects the unique ID (just like the first YARA rule), and the second signature (metasploit_office_word_macro_vbaproject_bin) detects the vbaProject.bin file based on the MD5 hash (1788454ae206101fa6febf99005ce03b).
ClamAV is able to scan inside OOXML/ZIP files.
Article Link: https://blog.didierstevens.com/2017/11/02/analyzing-metasploits-office-maldoc/