Word Document Malware Analysis


MD5: CA15F9F45971EA442943084547761994

File: Microsoft word document

Word Document Screenshot:

File Properties:

I used OLEVBA.py to extract the VBA code but it was giving error. I used oledump.py tools to analyze the file.

Using oledum.py. I ran the below command to get the complete document streams.

>>oledump.py <filename>

You can see M at Number 18 and 19 which is the VBA macro as explained by the author of this python script Didier Stevens M denotes VBA macros.

So the next command I am running

>>oledump.py -s 18 <filename>

In below screenshot, it can be seen, the module Lev1daeyfvl calling S_gil0c35zh248.Mei497ecvshp on Document_Open()

After looking into more, I found S_gil0c35zh248.Mei497ecvshp which is being called on opening document is an user form. (refer below screenshot)

S_gil0c35zh248.Mei497ecvshp is user form

I opened word document, and navigate to VBA developer tool (Alt + F11). I saw the VBA code will execute on form execution.

Next I debug the code and analyse the behavior.

The PowerShell script is executed by the WMI process by executing VBA code on document open.

I have extracted the PowerShell script which is encoded in base64. by adding a code to copy PowerShell script in text file. Below is the code to extract the PowerShell script.

M2lujl629fpjn has PowerShell script
Encoded PowerShell Script base64

I have decoded the PowerShell script and got the code below.

To decode PowerShell script, I used below PowerShell script.

$path_to_b64_string_file= Get-Content -Path "C:\output\output.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($path_to_b64_string_file))
New-Item "C:\output\decoded_b64.txt"
Set-Content -Path "C:\output\decoded_b64.txt" $decoded_b64_string
Write-Host "Decoded Base64 successfully"
Decoded PowerShell script

I debugged the decoded PowerShell script, during the debugging, I found, it creates a folder at location and file it is going to write will be Ws1uczsw.exe

C:\Users\IEUser\AppData\Local\Temp\Word\2019\Ws1uczsw.exe

and there are multiple remote URL’s it tried to download the malicious file.

All URLs are active.

URLVT Score
http://rickthewelder%5B.%5Dcom/dtbkup20110205/i/8/79
http://stiecgps%5B.%5Dcom%5B.%5D br/cgi-bin/7/0/79
http://tfbauru%5B.%5D com[.] br/cgi-bin/Lhe/14/79
https://paulburkphotography%5B.%5D com/_new_images/F/9/79
http://theeldestgeek%5B.%5D com/error/F55/79
http://uniquewv%5B.%5D com/cgi-bin/OVJ9qY/12/79
http://tuls%5B.%5D pl/cgi-bin/7a99/79

When I executed the PowerShell script, it downloaded Ww1uczsw.exe

Downloaded file details:

MD5: A4513379DAD5233AFA402CC56A8B9222

File Type: Win32 Exe

PEid Packer: Microsoft Visual C++ v7.0

Family: Emotet Trojan

Summary:

  • Word document has VBA macros which executes on document open.
  • PowerShell is encoded in base64 and executes to download Emotet Trojan executable.
  • Multiple sources/URLs have been used in code to download the malware on the system.

Download Sample Link

References:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.