Wednesday, 8 August 2018

Macro used to spoof the Parent Process

Recently I came across an interesting macro based Document which used several techniques that are uncommon in malicious macros.

The techniques used in this Document can be used to evade both static and dynamic analysis used in Security Products. I'll cover both the aspects and explain why it can be used to evade analysis.

MD5 hash: 2d7889010b497e66b342ee32dca559c1

1st Stage Macro

It is important to note that this macro cannot be extracted with OfficeMalScanner. However, other open source tools such as olevba can be used to successfully extract the macro.

Sandbox Evasion

The first check performed by this macro code is to identify whether it's being analyzed inside a Sandbox. It does this using the following method:

1. Uses the WMI query: "Select * from Win32_ComputerSystem" to get the Username of the current Computer.
2. Iterates over an array of predefined usernames (known to be used in Malware Analysis Systems) and compares the current system's username with it.

Usernames hardcoded in the macro are: "admin", "malfind", "sandbox", "test"

Simple evasion technique but it can be effective.

Macro embedded inside Macro to evade Static Analysis

The second stage macro is base64 encoded and embedded inside the 1st stage macro. The 1st stage macro will load and execute the second stage macro on the fly as shown below:

        Set errDesktop = GetObject("new:000209FF-0000-0000-C000-000000000046")
        Set merrFolder = errDesktop.Documents.Add
        Set objectFile = merrFolder.VBProject.VBComponents.Add(1)
        Set gtypeDesktop = GetObject("new:2933BF90-7B36-11D2-B20E-00C04F983E60")
        Set mlngCode = gtypeDesktop.createElement("merrFound")
        mlngCode.DataType = "bin.base64"
        mlngCode.Text = curQuantity
        blnCurrent = mlngCode.NodeTypedValue
        objectFile.CodeModule.AddFromString StrConv(blnCurrent, vbUnicode)

The CLSID "000209FF-0000-0000-C000-000000000046" corresponds to Microsoft Word Application.

The CLSID: "2933BF90-7B36-11D2-B20E-00C04F983E60" corresponds to XML DOM Document. It allows us to dynamically update the DOM.

Using "VBProject.VBComponents.Add" it dynamically adds a new VBA macro to the VBA project at runtime.

The embedded macro is stored as a base64 string. So, it is base64 decoded and added to the VBA project at runtime.

Once this is done, the following statement will invoke the second stage macro by calling the function, Auto_Open() as shown below:

        errDesktop.Run ("Auto_Open")

Using this technique, the second stage macro which contains the actual malicious code is hidden and static analysis applied on the first stage macro will not be effective.

It's a simple technique to evade the static analysis.

Spoofing the Parent Process

In the second stage macro, an interesting technique is used to spoof the parent process of the newly created process. In normal cases, if the macro inside a Word Document starts a new process then the parent process of this newly created process will be Winword.exe

If a sandbox is used to analyze a Word Document then they are monitoring the winword.exe process. So, any new process created by Winword.exe will be automatically monitored by the Sandbox as well.

However, if the newly created process is a child process of another process, this can confuse a sandbox and it may not analyze the activities of the new process.

So, how does the macro in our case achieve this?

It uses the following steps:

1. Gets the Process ID of explorer.exe process by running the WMI query: SELECT ProcessId FROM Win32_Process WHERE Name = 'explorer.exe'

2. Opens explorer.exe process

3. InitializeProcThreadAttributeList() is used to initialize ths AttributesList structure

4. UpdateProcThreadAttribute() is used to updated the AttributesList structure with the process handle of explorer.exe

5. Gets the path of dllhost.exe on the system based on the system architecture (32-bit or 64-bit)

6. Starts the new process, dllhost.exe using CreateProcessA() with the Process Creation Flag set to 0x80004

0x80000 - corresponds to EXTENDED_STARTUPINFO_PRESENT


0x4 - corresponds to CREATE_SUSPENDED

So, the new process is created using the flags: EXTENDED_STARTUPINFO_PRESENT | CREATE_SUSPENDED

The first flag allows it to use the StartUpInfoEx() structure with the new member AttributesList.

This feature was added for Operating Systems, Windows Vista and above.

As a result of this, dllhost.exe will run as a child process of explorer.exe and not as a child process of winword.exe

7. It then proceeds to inject the shellcode into dllhost.exe and perform the malicious activities.


The techniques used by this macro are easy to implement and provide an effective way to bypass both static and dynamic analysis by leveraging simple feature provided by Microsoft OS.