Uhhhhh…what just happened? – Basic Macro Malware Analysis for I.T. Pros.

Have you ever had something bad happen to you that was so quick, so unexpected, and so shocking that it left you asking “Uhhhh…what just happened?” I’ve actually experienced this on many occasions (and I’ve noticed an uptick since I got married). For example, I once made the “helpful” suggestion to my wife that it was possible she was being overly dramatic about something I did as it was getting close to her “rainy days”. I thought I was being helpful but she…well…she disagreed. It was definitely one of those “what just happened?” moments (after I regained consciousness that is). In hindsight, me quoting the priest from the movie “The Exorcist” (“The power of Christ compels you!”) was probably not one of my better ideas.

Anyway, this situation happened to some friends of mine the other day. They had one of their staff members open a malicious Microsoft Word document containing a Macro. The user had reportedly clicked “enable macros” and nothing happened…or did it? This was the question they wanted my help answering. It’s unsettling when you know something bad likely just happened but you have no idea what.

I made this video to help I.T. professionals (not necessarily Cybersecurity professionals) get a basic idea of how to analyze these types of malicious files to help them determine what type of remediation steps should be taken. I didn’t use any third-party tools, just a Windows virtual machine, Microsoft Office, and a web browser.

It’s about 20 minutes or so and I hope someone finds it helpful!