Thursday 4 October 09:30 - 10:00, Red roomGiulia Biagini (Microsoft)Macro malware made a come-back around mid-2014, since when it has constantly been leveraged to carry out malicious attack campaigns. On the one hand, social engineering is extremely effective at luring users into enabling the macro execution. Meanwhile, obfuscation allows attackers to craft documents that are difficult to detect generically and that can easily evade static signatures.This talk aims at showcasing the new AMSI support for Office that allows the logging and scanning of macro activity. First, the VBA engine instruments the execution of the macro code by recording the calls to Win32 APIs and to COM methods to a simple textual log; second, AMSI is leveraged to invoke the anti-virus and request a scan of the log whenever any dangerous API or COM method is about to be executed. The anti-virus response determines whether the macro execution can continue or whether it must safely be terminated, to prevent any damage.The dynamic nature of this solution is designed to avoid all the pitfalls of static scanning, and to provide a powerful means of bypassing code obfuscation completely: the instrumentation can tap into APIs and COM methods being invoked at run-time, hence it has visibility of the names of the objects, functions and parameters involved in the call, even if they don’t appear in the macro source code because they are obfuscated.In the final part of the presentation, I will explain how the instrumentation works, and I will show examples of how complex, obfuscated macro malware produces neat and tidy logs that are very suitable for writing generic signatures.