> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-5/malware-analysis/forensics-malware-analysis-macro-analysis.md).

# Macro Analysis

## Maldoc Payload Extraction & Decoding

Inspect the macro code (often VBA) embedded within the malicious document. Malicious VBScripts and VBA macros often use obfuscation techniques to hide their true purpose and evade detection. One common technique is to split strings into multiple parts and concatenate them at runtime. This technique makes it harder for static analysis tools to identify malicious strings and helps evade signature-based detection.

Look for strings that appear to be encoded (e.g., Base64). These strings are often broken across multiple lines or interspersed with other code as an obfuscation technique. Manually extract *only* the fragments of the encoded string. Concatenate these fragments into a single, complete string.

In VBA, string concatenation is the process of joining two or more strings together to form a single string. This is typically achieved using the ampersand (&) operator, which is the most commonly used method for string concatenation in VBA.

Here is a simple example of string concatenation in VBA using the `&` operator:

```vb
Dim str1 As String
Dim str2 As String
Dim str3 As String
str1 = "Geeks"
str2 = "for"
str3 = "Geeks"
Result = str1 & str2 & str3
MsgBox Result
```

Another common way to combine strings in VBA is also using the ampersand operator:

```vb
myString = "Hello " & "World"
```

Once the fragments are manually extracted and concatenated using methods like the `&` operator, the resulting complete encoded string can be decoded.

Finally, use a decoding tool like Cyberchef (typically with the "Base64 Decode" recipe) to reveal the original payload or hidden data. CyberChef, often referred to as the 'Swiss Army Knife' for data decoding, is a web-based tool for analyzing and decoding data. The 'From Base64' operation decodes a Base64 encoded string and is particularly useful for decoding Base64 encoded payloads found in malicious scripts.
