Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Maldoc Analysis of the Weekend SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Maldoc Analysis of the Weekend

Yesterday I received malicious Office document request15.doc (MD5 8598361ecbbffb35900d0720b0316a56).

It contains VBA macros that execute a PowerShell script. That script is a bit different than usual, so let's take a look.

With oledump.py, I look at the streams and find a macro stream:

Grepping for shell in the VBA code, it becomes clear what the purpose is:

Following the method I explained in diary entry "Quickie: String Analysis is Still Useful", I can quickly extract the PowerShell command:

Remark also that in the VBA code, character [ is replaced with letter A before the code is executed. I use sed to do the replacement:

And then I pipe this into base64dump.py:

Giving me the following PowerShell script:

This PowerShell script enumerates all methods of class System.Net.WebClient, and takes action for methods DownloadString and DownloadData.

With DownloadString it downloads a PowerShell script to be executed (IEX).

And with DownloadData it downloads a Windows executable to be executed.

Both files were no longer available when I performed the analysis, but I could probably find them via VirusTotal.

 

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

469 Posts
ISC Handler
Feb 9th 2019
Subscribe Feb 9th 2019
1 year ago
Yesterday, I've received a variant of this exact dropper. Your analysis walkthrough helped my immensely in my triage.
Analyzing my sample, though, my assumption was that the Powershell code was hiding in a
An “AlternativeText” property (in my case: Shapes("jczu2zzzf8bnm").AlternativeText). But I couldn’t find a way of statically extracting the actual string from that field using any of your Python tools, and thus reverted to using the “strings” technique you’ve shown. Why can we not “find” the actual AlternativeText field and extract the string from it?
Furthermore, after opening the sample in a VM and running the macro code line-by-line, I still couldn’t find the Powershell code for some reason (Shapes("jczu2zzzf8bnm").AlternativeText returned an empty string).
 Anonymous
Quote Feb 15th 2019
1 year ago
I believe this is Ursnif sample.
 Anonymous
Quote Feb 15th 2019
1 year ago
You can find that string, but it's in UNICODE. Maybe you just looked for ASCII strings, and therefor didn't find it. I'll write a diary entry.
 DidierStevens

469 Posts
ISC Handler
Quote Feb 16th 2019
1 year ago

Sign Up for Free or Log In to start participating in the conversation!