Tools Used

  1. oledump
  2. olevba
  3. vmonkey (ViperMonkey)
  4. LibreOffice
  5. CyberChef
  6. sha256sum

1. Multiple streams contain macros in this document. Provide the number of highest one.

We can use oledump to dump all the streams:

$ oledump.py sample.bin
1:       114 '\\x01CompObj'
2:      4096 '\\x05DocumentSummaryInformation'
3:      4096 '\\x05SummaryInformation'
4:      7119 '1Table'
5:    101483 'Data'
6:       581 'Macros/PROJECT'
7:       119 'Macros/PROJECTwm'
8:     12997 'Macros/VBA/_VBA_PROJECT'
9:      2112 'Macros/VBA/__SRP_0'
10:       190 'Macros/VBA/__SRP_1'
11:       532 'Macros/VBA/__SRP_2'
12:       156 'Macros/VBA/__SRP_3'
13: M    1367 'Macros/VBA/diakzouxchouz'
14:       908 'Macros/VBA/dir'
15: M    5705 'Macros/VBA/govwiahtoozfaid'
16: m    1187 'Macros/VBA/roubhaol'
17:        97 'Macros/roubhaol/\\x01CompObj'
18:       292 'Macros/roubhaol/\\x03VBFrame'
19:       510 'Macros/roubhaol/f'
20:       112 'Macros/roubhaol/i05/\\x01CompObj'
21:        44 'Macros/roubhaol/i05/f'
22:         0 'Macros/roubhaol/i05/o'
23:       112 'Macros/roubhaol/i07/\\x01CompObj'
24:        44 'Macros/roubhaol/i07/f'
25:         0 'Macros/roubhaol/i07/o'
26:       115 'Macros/roubhaol/i09/\\x01CompObj'
27:       176 'Macros/roubhaol/i09/f'
28:       110 'Macros/roubhaol/i09/i11/\\x01CompObj'
29:        40 'Macros/roubhaol/i09/i11/f'
30:         0 'Macros/roubhaol/i09/i11/o'
31:       110 'Macros/roubhaol/i09/i12/\\x01CompObj'
32:        40 'Macros/roubhaol/i09/i12/f'
33:         0 'Macros/roubhaol/i09/i12/o'
34:     15164 'Macros/roubhaol/i09/o'
35:        48 'Macros/roubhaol/i09/x'
36:       444 'Macros/roubhaol/o'
37:      4096 'WordDocument'

The highest VBA macro is number 16.

2. What event is used to begin the execution of the macros?

olevba is a good tool for getting more information about macros. I've cropped the output.

$ olevba sample.bin

[..]
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_open       |Runs when the Word or Publisher document is  |
|          |                    |opened                                       |
[..]

Alternatively, we can open the malicious document and view (edit) the macro. I did so using LibreOffice Writer.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/b6f1b1c8-1608-4d9c-ac0a-23876838c7c4/Untitled.png

3. What malware family was this maldoc attempting to drop?

One easy way is to compare the filehash to online databases such as URLhaus. Otherwise I'd have to reverse-engineer the script, decipher the functionality, and cross-reference that with known malware.

$ sha256sum sample.bin
d50d98dcc8b7043cb5c38c3de36a2ad62b293704e3cf23b0cd7450174df53fee  sample.bin