It’s been a few weeks since my last discussion 1 of Excel 4.0 macro shenanigans and the space continues to change. LastLine published a great report 2 which summarized the progression of weaponized macros from February through May. The good folks at InQuest have continued 3 identifying 4 malicious 5 macro documents 6 . @DissectMalware ‘s excellent XLMMacroDeobfuscator 7 has massively expanded its range of macro emulation, and FortyNorth Security released EXCELntDonut 8 , a tool for converting Donut 9 shellc
Over the past few weeks I’ve also started seeing some of the files generated by my tool Macrome 10 begin to trigger detections on VirusTotal 11 . This is exactly the sort of thing I want to see – besides the fact that it implies that AV is getting better signal on this attack vector, it also provides an opportunity to improve my tool and take better guesses about what direction attackers will pivot in the future. I’m a big believer in a @Mattifestation ‘s approach to detection engineering 12 and detection f
After realizing that some of my samples were being detected, I took several documents that had been generated during testing and submitted each of them to VirusTotal – only the larger documents appeared to be matching virus signatures. I did a quick binary search of the document sizes between what was detected on VirusTotal and what wasn’t and discovered that if a document had greater than 100 CHAR invocations, then it was considered malicious.