File: Microsoft word document
Word Document Screenshot:
I used OLEVBA.py to extract the VBA code but it was giving error. I used oledump.py tools to analyze the file.
Using oledum.py. I ran the below command to get the complete document streams.
You can see M at Number 18 and 19 which is the VBA macro as explained by the author of this python script Didier Stevens M denotes VBA macros.
So the next command I am running
>>oledump.py -s 18 <filename>
In below screenshot, it can be seen, the module Lev1daeyfvl calling S_gil0c35zh248.Mei497ecvshp on Document_Open()
After looking into more, I found S_gil0c35zh248.Mei497ecvshp which is being called on opening document is an user form. (refer below screenshot)
I opened word document, and navigate to VBA developer tool (Alt + F11). I saw the VBA code will execute on form execution.
Next I debug the code and analyse the behavior.
The PowerShell script is executed by the WMI process by executing VBA code on document open.
I have extracted the PowerShell script which is encoded in base64. by adding a code to copy PowerShell script in text file. Below is the code to extract the PowerShell script.
I have decoded the PowerShell script and got the code below.
To decode PowerShell script, I used below PowerShell script.
$path_to_b64_string_file= Get-Content -Path "C:\output\output.txt" [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($path_to_b64_string_file)) New-Item "C:\output\decoded_b64.txt" Set-Content -Path "C:\output\decoded_b64.txt" $decoded_b64_string Write-Host "Decoded Base64 successfully"
I debugged the decoded PowerShell script, during the debugging, I found, it creates a folder at location and file it is going to write will be Ws1uczsw.exe
and there are multiple remote URL’s it tried to download the malicious file.
All URLs are active.
|http://tfbauru%5B.%5D com[.] br/cgi-bin/Lhe/||14/79|
When I executed the PowerShell script, it downloaded Ww1uczsw.exe
Downloaded file details:
File Type: Win32 Exe
PEid Packer: Microsoft Visual C++ v7.0
Family: Emotet Trojan
- Word document has VBA macros which executes on document open.
- PowerShell is encoded in base64 and executes to download Emotet Trojan executable.
- Multiple sources/URLs have been used in code to download the malware on the system.