Yesterday I received malicious Office document request15.doc (MD5 8598361ecbbffb35900d0720b0316a56). It contains VBA macros that execute a PowerShell script. That script is a bit different than usual, so let's take a look. With oledump.py, I look at the streams and find a macro stream: Grepping for shell in the VBA code, it becomes clear what the purpose is: Following the method I explained in diary entry "Quickie: String Analysis is Still Useful", I can quickly extract the PowerShell command: Remark also that in the VBA code, character [ is replaced with letter A before the code is executed. I use sed to do the replacement: And then I pipe this into base64dump.py: Giving me the following PowerShell script: This PowerShell script enumerates all methods of class System.Net.WebClient, and takes action for methods DownloadString and DownloadData. With DownloadString it downloads a PowerShell script to be executed (IEX). And with DownloadData it downloads a Windows executable to be executed. Both files were no longer available when I performed the analysis, but I could probably find them via VirusTotal.
Didier Stevens |
DidierStevens 638 Posts ISC Handler Feb 9th 2019 |
Thread locked Subscribe |
Feb 9th 2019 3 years ago |
Yesterday, I've received a variant of this exact dropper. Your analysis walkthrough helped my immensely in my triage.
Analyzing my sample, though, my assumption was that the Powershell code was hiding in a An “AlternativeText” property (in my case: Shapes("jczu2zzzf8bnm").AlternativeText). But I couldn’t find a way of statically extracting the actual string from that field using any of your Python tools, and thus reverted to using the “strings” technique you’ve shown. Why can we not “find” the actual AlternativeText field and extract the string from it? Furthermore, after opening the sample in a VM and running the macro code line-by-line, I still couldn’t find the Powershell code for some reason (Shapes("jczu2zzzf8bnm").AlternativeText returned an empty string). |
Anonymous |
Quote |
Feb 15th 2019 3 years ago |
I believe this is Ursnif sample.
|
Anonymous |
Quote |
Feb 15th 2019 3 years ago |
You can find that string, but it's in UNICODE. Maybe you just looked for ASCII strings, and therefor didn't find it. I'll write a diary entry.
|
DidierStevens 638 Posts ISC Handler |
Quote |
Feb 16th 2019 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!