![]() There’s more than one way to analyze a macro, but my favorite method involves OLE Tools. Only one way to figure out what went wrong: look at the macro itself. Interestingly, the “Secure Cells” now displayed an error message: “ERROR 8415E1337: TIMEOUT OCCURED RETRIEVING DATA” (yes, “occurred” was spelled wrong). With the script running, it was the perfect time to poke around the workbook. What’s the worst that could happen? It’s not as if the macro was going to enumerate local system information or Active Directory data and ship it back to the red team within this workbook… right? A bunch of red text in cells exclaiming “ SECURE CELL: ENABLE MACROS TO RETRIEVE DATA”Įnable macros or not? that was the question… I really wanted that boat.Microsoft’s bright yellow notification: “ SECURITY WARNING Macros have been disabled”.There were no results, no new salary, no bonus information (I was going to buy a boat!), no nothing. The contents of the spreadsheet were immediately disappointing. How did the sender entice the user, you ask? They used a classic phishing lure in the subject line: “Annual Employee Evaluation Report.” I mean, how could you not open it and see how you did last year?! Even we were intrigued, so we popped open the attachment to see how the evaluation went. ![]() ![]() Just like any phishing campaign involving Microsoft Office files, the user had to be enticed into opening it. ![]() The attachment consisted of a Microsoft Excel workbook (.xlsm) that contained a Visual Basic (VBA) macro-I know… we shuddered as well. A customer involved in a penetration test reached out to us recently about a suspicious email message that one of their employees received. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |