Malware authors often find creative ways to obfuscate and store their data and malicious office documents are no exception. One such place is in UserForms. UserForms are simply a window or dialog box that make up an application's user interface. Office documents can include UserForms as part of a VBA project. On these forms, malware authors can then add different controls/components and use their properties to store data. In this article, we'll explore ways to identify user forms using oledump and olevba.
Interested in a FREE downloadable PDF quick reference for malicious documents? Get your copy here!
Identifying UserForms with Oledump
Oledump is one of the go-to tools for analyzing malicious documents. Using oledump with only the file as an argument will provide a table of contents, showing the different streams and storages the document contains.
$ oledump.py userform.doc
In identifying UserForms, one indicator to look for are streams that end with an f and an o. In this example, that would be streams at index 17 and 18. The f stream contains information about UserForm components, such as TextBoxes or Labels. The O stream contains the component values. Although in my experience, some component values can be stored in stream f. One example is the use of the ControlToolTip property.
The name of the UserForm is also part of the stream information. In this document the UserForm name was called discord. To view form content you can dump the relevant streams.
$ oledump.py -s 17 userform.doc
This document contains at least one UserForm component called pineal. It also contains what appears to be obfuscated content starting at offset 0x6C. This indicates that the malware author's data is stored in a property such as ControlTipText. It won't always be obvious looking at the raw data. Investigating the macros for this form variable reveals the property used.
$ oledump.py -s a -v userform.doc | grep pineal
Inspecting the o stream reveals no content.
$ oledump.py -s 18 userform.doc
Content stored in component properties such as value will be visible here.
Identifying UserForms with Olevba
Olevba simplifies the process of identifying UserForms to a degree. Without providing any additional arguments outside of the file to analyze, olevba will identify UserForms and any components by name. It will also attempt to extract component values, although you'll see with this document it misses the data.
$ olevba userform.doc
However, this is enough information to recognize the UserForm name and form components used, which may help with your analysis of the macro code.
Viewing UserForm Data in the Office IDE
The last, and possibly easiest, way to identify a UserForm and it's associated components is to use the Office IDE (or VBA Macro Editor). To do this, open Visual Basic under the Developer tab.
This will bring up the project view. If the VBA project contains UserForms, you can find them under Forms in the project structure.
Expanding the Forms node provides the name of the UserForm. Double-clicking this value will open the form in the primary editor space.
Now, the UserForm can be explored to identify any associated components. Upon selecting a component, the Properties panel will populate. In this example, suspicious data can be identified in the ControlTipText property of the pineal ToggleButton component.
The sample file SHA256: 5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d