MS Excel Malware Analysis

August 13, 2021August 13, 2021 Anurag GawandeLeave a comment

MD5: bcdadfdc16bcf022384c4631849e1396

File Type: Microsoft Excel

File Extension: .xlsm

File Name: BillINV-01364_CLIENT_Schedule.xlsm

File Preview:

I am analyzing excel file using OleTools to detect suspicious code and IOCs.

> oleid <FileName>

Oleid will help to know whether file has any embedded OLE/Flash objects,VBA macros

Its clear from the above output of oelid, it has suspicious VBA macro. Now, I am going to get the suspecious keywords using MacroRaptor.

> mraptor <FileName>

MacroRaptor gives information based on keywords, such as read, write, execute.

Command flagged the keywords used in file are AutoExec, Write and Execute which could be, on opening document, it will write files to the system and execute them.

Next, OleVBA which will detects obfuscated strings used, extract IP address, executable file name,

> OleVBA -a <FileName>

I was trying to open the excel file to check the VBA code execution in VBA developer tool by dubugging the code, but opening the excel file, it was getting closed immediately due the Application.Quite call. So, first I have disabled the macro and opened Developer tools and commented out the code and save the file and again enabled macro back. This way opening excel file, it wasn’t closing immediately.

During debugging of macro, I found that it loads the VBscript GetObject to download the exe from the remote server (https:// ntro[.] fr /officeclick.png).

procmon captured the mSHta.exe Process starts via shell which executes the command shown in below image.

The URL which is getting accessed, no more responding. To dig in more, I extracted the excel file and look for the text file which reference I got from OLEVBA

The text file dvdsvhufhuierhiu.txt I looked for .exe refence and I found it too. This file has base64 string which is PowerShell script and downloads executable jieifhzo11.exe file and copy it to location

C:\Users\<profile>\AppData\Local\

_{Base64 string from dvdsvhufhuierhiu.txt file}

After deobfuscation of above string, I can see the below PowerShell command.

_{Obfuscated PowerShell script of above base64 string}

Summery:

Macro execute on document open
mSHta.exe executes command via shell.
It reads obfuscated string from dvdsvhufhuierhiu.txt which is PowerShell script which downloads jieifhzo11.exe
It downloads it from URL https:// ntro[.] fr /officeclick.png.
The URL is no more accessible so unable to download the malicious executable file.

Sample Download:

Any.run

Word Document Malware Analysis

September 7, 2020 Anurag GawandeLeave a comment

MD5: CA15F9F45971EA442943084547761994

File: Microsoft word document

Word Document Screenshot:

File Properties:

I used OLEVBA.py to extract the VBA code but it was giving error. I used oledump.py tools to analyze the file.

Using oledum.py. I ran the below command to get the complete document streams.

>>oledump.py <filename>

You can see M at Number 18 and 19 which is the VBA macro as explained by the author of this python script Didier Stevens M denotes VBA macros.

So the next command I am running

>>oledump.py -s 18 <filename>

In below screenshot, it can be seen, the module Lev1daeyfvl calling S_gil0c35zh248.Mei497ecvshp on Document_Open()

After looking into more, I found S_gil0c35zh248.Mei497ecvshp which is being called on opening document is an user form. (refer below screenshot)

_{S_gil0c35zh248.Mei497ecvshp is user form}

I opened word document, and navigate to VBA developer tool (Alt + F11). I saw the VBA code will execute on form execution.

Next I debug the code and analyse the behavior.

The PowerShell script is executed by the WMI process by executing VBA code on document open.

I have extracted the PowerShell script which is encoded in base64. by adding a code to copy PowerShell script in text file. Below is the code to extract the PowerShell script.

I have decoded the PowerShell script and got the code below.

To decode PowerShell script, I used below PowerShell script.

$path_to_b64_string_file= Get-Content -Path "C:\output\output.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($path_to_b64_string_file))
New-Item "C:\output\decoded_b64.txt"
Set-Content -Path "C:\output\decoded_b64.txt" $decoded_b64_string
Write-Host "Decoded Base64 successfully"

I debugged the decoded PowerShell script, during the debugging, I found, it creates a folder at location and file it is going to write will be Ws1uczsw.exe

C:\Users\IEUser\AppData\Local\Temp\Word\2019\Ws1uczsw.exe

and there are multiple remote URL’s it tried to download the malicious file.

All URLs are active.

URL	VT Score
http://rickthewelder%5B.%5Dcom/dtbkup20110205/i/	8/79
http://stiecgps%5B.%5Dcom%5B.%5D br/cgi-bin/7/	0/79
http://tfbauru%5B.%5D com[.] br/cgi-bin/Lhe/	14/79
https://paulburkphotography%5B.%5D com/_new_images/F/	9/79
http://theeldestgeek%5B.%5D com/error/F5	5/79
http://uniquewv%5B.%5D com/cgi-bin/OVJ9qY/	12/79
http://tuls%5B.%5D pl/cgi-bin/7a9	9/79

When I executed the PowerShell script, it downloaded Ww1uczsw.exe

Downloaded file details:

MD5: A4513379DAD5233AFA402CC56A8B9222

File Type: Win32 Exe

PEid Packer: Microsoft Visual C++ v7.0

Family: Emotet Trojan

Summary:

Word document has VBA macros which executes on document open.
PowerShell is encoded in base64 and executes to download Emotet Trojan executable.
Multiple sources/URLs have been used in code to download the malware on the system.

Download Sample Link

References:

Didier Stevens Tools and blogs
oledump.py

Crimson RAT Malware Analysis

July 24, 2020February 8, 2025 Anurag Gawande1 Comment

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

MD5: f940e886a40783deb4e97fe6d842da7a

File Type: MS Excel Spreadsheet

VT Score: 35/62

I am using OLETools to get the property of excel file.

Next OLETool command I am running is to get the OLE details.

Suspicious Indicators:

VBA code will auto execute on opening excel workbook.
Create directory on the system.
Write a file on the system.
Execute shell command.
hex string used for obfuscation.

Now, I am extracting VBA from excel file and dumping it to txt file. For that command I am running is

cmd> olevba.py --deofb <filename> > Path\output.exe

From the VBA code, I can see the subroutine creates a folder and drop executable file at location C:\ProgramData\Rlmdias\Rlmdias.exe

I opened excel and navigate to VBAProject by clicking Alt+F11. Porject was password protect. I removed password using GitHub code and check out my previous blog how it can be done. Post password removal, I can see there is a userForm1 which has two text box and has a hex values which are PE files will dropped depends on the OS version of the victim 32bit or 64bit

I debugged the VBA code and it dropped a zip file at location “C:\ProgramData\Rlmdias\drngervia.zip” and unzip it using function unSadozip

Dropped zip file has drngervia.exe file. and Shell command execute the executable file

when Shell executed, it opens Windows features and ask to download and Install .Net Framework 3.5

Due to dependency on .net framework, I have installed above Windows feature.

Dropped File:

MD5: 10F955EF9F398E91CA9AE4F34CECD873

File Type: Win32 EXE

File Name: drngervia.exe

Signature: Microsoft Visual C# v7.0 / Basic .NET

Family: Crimson also knows as SEEDOOR and Scarimson

Type: Trojan

VT Score: 47/72

I have used dnSpy to debug the PE file. Looking at the code, it creates persistence creating a registry entry.

It gets the list of running process on the system

It looks for antivirus software running on the system.

It searches for the antivirus software from the below list.

Bit Defender
Quick Heal
Microsoft Essentials
F-Secure
Kaspersky
Avira
Symantec
MacAfee
AVG
Avast

Capabilities of this RAT observed from code:

Get the running process on the system.
Get the drives, directories and files on the system.
Get the host name, User id.
Capture screenshots.
Get the data from C2 server.
Using custom ports to connect to C2 server.

On execution, drngervia.exe try to establish connection with C2 server which IP and ports are hard coded in the code. IP address is in the form decimal values. C2 server didnt respond.

IP Address	Ports
107.175.64.[251]	6286, 4486, 8249, 11447, 16865

I have also found the hard coded IP address, username. Malware never hit to this ip [124.115.201. 118]

Behavior:

Excel file dropped PE file.
PE has dependency on .net framework 2.0.
PE file tried to connect to C2 server but C2 server didn’t respond.

Execution flow:

Download Sample: f940e886a40783deb4e97fe6d842da7a

References:

Any.Run

Word Macro Drops IcedID Trojan – Malware Analysis

July 12, 2020 Anurag Gawande1 Comment

HASH

MD5: 4A88E83B325AA23DA1E4BFA90B4F7C34

File type: Office Open XML Document

VT Score: 45/62

While I was going through Any.run report tracker, I came across this word document, I downloaded it for analysis.

OleTools:

I used OLETools to analyse the document macros.

Olevba.py -a <file name>

Indicators:

Auto execute on opening document.
May write a file to the system.
Base64 obfuscated strings.

I deobfuscated the file using olevba.py

Olevba.py --deobf <file name>

Indicator of Compromise:

PFSDNKDF.exe executable file name.

Above code shows the PE file PFSDNKDF.exe will be dropped at location C:\1\Whole\

Next I started debugging macro in VBA development tool. VBA development tool can be opened by pressing Alt + F11 keys that will bring it up.

I can see the variable hextostr has stored a hex code that will be converted into PE file.

Then it creates a process and execute PFSDNKDF.exe file.

After that it closes the document or will prompt to save the changes if any changes has done to document.

_{Process monitor captured when exe is written to localtion C:\1\Whole path}

Dropped File:

MD5: 4C9C6B5B6DAA25B8DC274DD78FBC1AAA

File Name: psisdecd.dll

File Type: Win32 EXE

Signature: Microsoft Visual C++ 8

Family: IcedID

VT score: 56/72

IcedID is a banking Trojan type malware that allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver other viruses or download additional modules.

Using wireshak, I have seen this executable created network connection to below IPs and DNS resolved to:

SN	IP
1	40.90.189.152
2	125.252.219.233
3	104.84.156.5
4	104.116.46.155
5	104.244.42.131
6	184.29.89.6
7	23.50.81.26
8	104.116.25.27
9	184.29.89.6
10	23.54.56.6
11	104.244.42.42
12	104.244.42.195

IP address contacted and sent and received data by malicious executable.

SN	DNS	Link
1	connuwedro.xyz	VT Score

Urls contacted by malicious executable.

Summary:

Word document drops executable PFSDNKDF.exe on opening document.
The dropped file is IceID trojan.

Download sample: Any.Run

njRAT Malware Analysis

June 21, 2020February 8, 2025 Anurag Gawande7 Comments

HASH MD5: 88e085572a182ca102676676ec0ef802

File Type: Win32 executable

Signature: Microsoft Visual C# v7.0 / Basic .NET

Link to Download Sample: Any.Run

Type: Remote Access Trojan

njRAT is a remote access Trojan. It is one of the most widely accessible

RATs. I came across this while going through

Any.Run trends and thought to download sample for analysis.

I have disassembled executable file using dnSpy.

It makes easy to analyse the code. Stub shows entry point where I can

put breakpoint to start the debugging to analyse the behavior

I start debugging and put break point at entry point.

Ko() function first check the list predefined process running on victim’s

machine if they are, the malware executable

will stop execution. In this case, wireshark was running in background.

It stops calling assembly and execution process.

To avoid call to CsAntiProcess which look for the running process, I change the value of anti_CH bool variable value to

false manually. (Value of variable can change from Locals windows)

CsAntiProcess handler look for the process and if its there , it stops execution.

The list of process mentioned

SN	Process List	Process Name
1	procexp	Process Explorer (Sys Internal Tool)
2	SbieCtrl	SbieCtrl.exe (Sandboxie)
3	SpyTheSpy	Spyware monitoring tool
4	wireshak	WireShark
5	apateDNS	ApteDNS tool
6	IPBlocker	IPBlocker
7	Tiger-Firewall	–
8	smsniff	–
9	exeinfoPE	Exeinfo PE Tool
10	NetSnifferCS	–
11	SandBoxie Control	–
12	processhacker	Process Hacker
13	dnSpy	.Net disassembler (I am using it for debugging here)
14	CodeReflector	–
15	ILSpy	.Net disassembler
16	VGAuthService	VMware Guest Authentication Service
17	VBoxService	Virtual Box Service

_{This table contains List of Process malware checks on the system on execution}

NOTE: To bypass process check, I also changed the names of process e.g. Wireshark.exe to wk.exe and procexp.exe to prex.exe which helped to by pass process check when I executed malware without debugging in dnSpy because process names are hard coded.

On proceed with the debugging, it drops an executable file svchost.exe on the system at location

C:\Users\<user profile>\AppData\Roaming\svchost.exe

EXE is a string variable initialized as svchost.exe. It could be named svchost.exe (Windows Service Host) to create

confusion and it make difficult to differentiate its malicious without analyzing its location and properties.

_{Captured in process monitor, file is written at location}

It also drops Tools.exe at location C:\

File also drop at location

C:\USers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e84128b2e0547d1dd1f8090d86c80c48

and add to registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Name: e84128b2e0547d1dd1f8090d86c80c48

Value data: “C:\Users\IEUser\AppData\Roaming\svchost.exe” ..

Adding this registry value, the executable will execute everytime when user logon to the system.

Dropping file in this case is copying itself to the three different location. As all three files have different names but same hash and code.

In code, IP address along with the port 7777 and executable names are initialized.

C2 Server IP Address details:

VT Score: 1/79
Status: Malicious

_{VirusTotal Score for C2 server IP address – Link}

svchost.exe has sent TCP segment with SYN control bits to C2 server but there is no response from the server. Though

the IP address exists and IP location is Russia.

I used netstat to check the tcp connection.

_{Netstat command >> netstat -a}

_{1) Command >> netstat -a -b 2) Process name svchost.exe} _sent _{TCP segment}

Summary:

On execution, malicious executable file check running process on the system.
If any of the process running (listed in table above), malware stops execution.
It copies itself to three different locations:
- C:\Tools.exe
- C:\Users\<user profile>\AppData\Roaming\svchost.exe
- C:\USers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e84128b2e0547d1dd1f8090d86c80c48.exe
Creates registry entry so e84128b2e0547d1dd1f8090d86c80c48.exe will execute every time user logon to the system.
Command and Control server IP address is 85.26. 235.163 port 7777
svchost.exe tried to connect to C2 server, server didn’t respond.
Accessing C2 server IP address on port 7777 in browser, gets 200 OK response with empty response header.

Thank you.

Comments and suggestions are welcome.

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

MS Excel Malware Analysis

Word Document Malware Analysis

Crimson RAT Malware Analysis

Word Macro Drops IcedID Trojan – Malware Analysis

njRAT Malware Analysis