Hello, welcome to the Monday, February 24, 2020 edition of the Santernut Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

One of the threats that doesn't appear to go away are Microsoft Office macros.

They're used to install a variety of malware, lots of ransomware, of course.

Typically, these macros are written in Visual Basic for applications or short VBA. VBA, well,

there was something before that, and that was the Excel macros. Now, often people still call some of these VBA script macros, but

Excel macros actually in older language that sort of predated VBA. And as often IT old features

never really go away and modern versions of Excel are still able to execute these older macros.

So did he look at one of these macros and wrote a diary about how to analyze them?

They can also actually show up in the modern open office XML files,

not just in the older XLS files that use the OLE format. Files can also

contain older Excel macros as well as the more modern visual basic for applications

macros, which then of course gives attackers the possibility to evade various signatures.

And talking about evading signatures, we also have a diary by Dillier.

He's going over a simple but pretty efficient visual basic script obfuscation technique.

The script was only 50 lines long and essentially what it did, it is downloaded a Puddy

client from an AWS website.

And the DA is showing how this Visual Basic script was obfuscated, essentially by replacing

the sort of signature strings with some random strings that are then being replaced

as the script is executed.

Nothing fancy, really, but this particular malicious script is only detected by one among all

the virus total engines that are currently in place.

...