Document_Open()etc. and follow the execution flow a user would have experienced upon opening the document and “Enabling Content”.
Application.Shellor WMI methods to run command lines. Benefit of the latter is that it does not create a suspicious and rather easy to detect parent-child process relationship.
Start-BitsTransfercmdlet being passed to the newly created object — this technique will be less likely to decrease in popularity in the coming years as most cyber criminals are moving away from using highly logged PowerShell, to less transparent interfaces like WMI or direct API calls.
CreateProcessA. We should reach the call to it after running the macro.
RDXregister, which indeed seems to contain our payload. (on x86 systems you’d find all the parameters on the stack)
NT AUTHORITY/SYSTEM) debugger to the WmiPrvSE.Exe process, and dump parameters of the
R8 — lpCommandLine) parameter in the dump reveals a PowerShell payload which can be copied and further analyzed in CyberChef:
OFFICE_VBAentries. There will often be multiple events generated throughout the execution — Microsoft does not document this well, but experience shows that the bigger the
contentsizeof an event, the more complete it is.
VirtualAllocis often substituted with
CreateThreadcan be replaced with, for example —
EnumResourceTypesWfor the same results.
RtlMoveMemoryAPI could get logged.