top of page
  • Writer's pictureJosh Stroschein

Identifying UserForms with Oledump and Olevba

Malware authors often find creative ways to obfuscate and store their data and malicious office documents are no exception. One such place is in UserForms. UserForms are simply a window or dialog box that make up an application's user interface. Office documents can include UserForms as part of a VBA project. On these forms, malware authors can then add different controls/components and use their properties to store data. In this article, we'll explore ways to identify user forms using oledump and olevba.


Interested in a FREE downloadable PDF quick reference for malicious documents? Get your copy here!
A yeti in front of a computer

Identifying UserForms with Oledump

Oledump is one of the go-to tools for analyzing malicious documents. Using oledump with only the file as an argument will provide a table of contents, showing the different streams and storages the document contains.

$ oledump.py userform.doc
oledump output
Default oledump output

In identifying UserForms, one indicator to look for are streams that end with an f and an o. In this example, that would be streams at index 17 and 18. The f stream contains information about UserForm components, such as TextBoxes or Labels. The O stream contains the component values. Although in my experience, some component values can be stored in stream f. One example is the use of the ControlToolTip property.


The name of the UserForm is also part of the stream information. In this document the UserForm name was called discord. To view form content you can dump the relevant streams.

$ oledump.py -s 17 userform.doc
Inspecting F stream
Using oledump to view userform components

This document contains at least one UserForm component called pineal. It also contains what appears to be obfuscated content starting at offset 0x6C. This indicates that the malware author's data is stored in a property such as ControlTipText. It won't always be obvious looking at the raw data. Investigating the macros for this form variable reveals the property used.

$ oledump.py -s a -v userform.doc | grep pineal
Grepping for component in macro code
Grepping for UserForm components in VBA code

Inspecting the o stream reveals no content.

Inspecting O stream
Viewing component values with oledump

Content stored in component properties such as value will be visible here.

Identifying UserForms with Olevba

Olevba simplifies the process of identifying UserForms to a degree. Without providing any additional arguments outside of the file to analyze, olevba will identify UserForms and any components by name. It will also attempt to extract component values, although you'll see with this document it misses the data.

$ olevba userform.doc
olevba output
Viewing UserForms and components with olevba

However, this is enough information to recognize the UserForm name and form components used, which may help with your analysis of the macro code.


Viewing UserForm Data in the Office IDE

The last, and possibly easiest, way to identify a UserForm and it's associated components is to use the Office IDE (or VBA Macro Editor). To do this, open Visual Basic under the Developer tab.


Microsoft Office Word ribbon
Opening the macro editor

This will bring up the project view. If the VBA project contains UserForms, you can find them under Forms in the project structure.


Finding UserForms in the VBA project
Finding UserForms in the VBA project

Expanding the Forms node provides the name of the UserForm. Double-clicking this value will open the form in the primary editor space.


Viewing the UserForm and it's associated components
Viewing the UserForm and it's associated components

Now, the UserForm can be explored to identify any associated components. Upon selecting a component, the Properties panel will populate. In this example, suspicious data can be identified in the ControlTipText property of the pineal ToggleButton component.

The sample file SHA256: 5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d

293 views

Comentarios


Want to know when my latest content drops? Sign-up to receive email notications and access to other exclusive content!

bottom of page