 Hello, I'm Didier and in this video I'm going to show you how you can analyze a work document with VBA macros that was created using Metasploit. And this document is easy to recognize because this Metasploit module will always create the same macros. And later I will show you how you can create your own document for practicing analysis and also how you can easily recognize it. So we can analyze the file with olidump and it contains macros. Now also it contains word vbaproject.bin so it is a docm file. So we can select the first three mirror that contains macros and dump the macros like this. We have this here, we will see that later. So here we have auto open so this will execute automatically. And in the loop here it is going to search for the built in document properties for a property that is called comments. And if it finds that it will extract the value base64 decode it. And then depending on mac or windows it will launch the function execute for OSX or execute for Windows. And here this declaration of system is necessary for execute for OSX. Execute for Windows here will just write the decoded content here to disk in a temporary file with extension.exe and then it will execute that file. For OSX it will just do a system, pipe the code to Python and execute that. So on Windows the payload is an executable that is written to a temporary file on disk and then executed. And on OSX the payload is Python code that is executed. And this here is the base64 decode function. Now to look at the properties, the comments properties, we have to look into the file itself. So this is a docm file which is actually a zip container and with zipdump we can look into the content. Here we have our vbaproject.bin file and here docprops.core.xml this is an XML file that contains the properties. So with zipdump here I can select that file 13 and dump it. And as you can see here the description here contains indeed a base64 encoded payload. And here this start here tv uppercase, q lowercase, this is an indication of mz at the start of an executable. Now we can decode that with base64dump. So I'm going to pipe this into base64dump and I'm going to look for decoded sequences that are longer than 20 bytes so that I eliminate all smaller decodings. And here we have our decoded indeed, it starts with mz. It is an executable, I can select it and dump it and then pipe it for example to PE check to analyze PE files. And indeed it is a PE file with different sections and other information. Now this executable also contains strings which we can dump with stringspy command like this. And if we scroll back a bit here we have the URL that is used by Metasploit here to make the connection. And here the user agent string that is used for this HTTP payload. Now this URL here can actually be decoded. This here contains a unique ID, a payload UID. And this is something for which I've written a small tool that can decode this. So I pipe this into my tool and I look for URL UID like this. So I need found this payload UID URL which contains a payload UID and then information like the platform, Windows, the architecture, 32-bit and then the timestamp when that payload was created. That's in UTC, that's when I created this payload. I also have a YARA rule to detect this file. This is the YARA rule and it just looks for this identifier. Since the Metasploit generated word document always uses the same macros, the ID is all. So always the same and we can use that to detect it. So with zipdump I provide the YARA rule and the document and then you can see here that the YARA rule triggers on the VBA project.bin file. And now I'm going to show you how you can use the Metasploit framework to create this word document so that you can practice analysis by creating your own. And also how you can detect it for example with ClamRV, AVR and the virus. So we have to use the module. Now it's in exploit but it's actually not an exploit, it just uses macros. So multi file format office like this. That's a module that we are going to use. These are the options. You can change the file name and you can provide a custom template. So what this module will do is create, work with the docx file and also with your payload and then combine that with macros to make a docm file. So when the macros never changed that's how we can easily detect it. But it uses a standard docx file but if you want something else, for example with another message inside you can provide a custom template. We are not going to do that here. We are just going to use a payload and I'm going to use meterpreter. Reverse HTTP like this. This requires a null host and I'm going to use the luba adapter and then I can just run exploit to create a file. You can see here from where it got the template docx this is the folder where it finds it. It injects the payload and in base 64 as a command then injects the macros and then it creates the file which is stored here. So the file has been created here and here I have the file and I can show you when I scan this with clamav like this. So the antivirus clamav detects the files here. Metasploit Office Word VBA. So this is the detection and that is a custom detection that I made. It's a simple detection here. It is just the MD5 hash of the VBA project.bin file. So the oliv file that is inside the zip file, the length and then the signature Metasploit Office Word VBA. So that is how you can analyze a file, create your own file for analysis and how you can detect it.