This allows it to execute python scripts by default.
#Remove malware in word for mac macro mac os x#
We have found that this malicious VBA code uses slightly modified code taken from a metasploit framework which you can find at hxxps:///rapid7/metasploit-framework/blob/master/external/source/exploits/office_word_macro/macro.vba How it Works for Apple Mac OS XĪs you probably know, Mac OS X comes with Python pre-installed by Apple. Calling different route according to OS type You can see this in the the flow chart in Figure 3.įigure 3. Next, it takes a different route depending on the OS type, Apple Mac OS X or Microsoft Windows, that it is running on. The value of the “Comments” is base64 encoded, which can be read out and decoded by the VBA code below:Īfter it’s base64-decoded, we can capture the code in plaintext, which is python script, as shown below. The first thing it does is read the data from the “Comments” property of the Word file.įigure 2. Once the malicious VBA code is executed, the AutoOpen() function is automatically called.
Asks victim to enable Macro security option When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed.
We then analyzed the sample, and in this blog we are going to explain how it works, step by step. The sample targeted both Apple Mac OS X and Microsoft Windows systems. On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code.
0 kommentar(er)
