Skip to content

Latest commit

 

History

History
64 lines (33 loc) · 3.89 KB

0x7 - Maldoc.md

File metadata and controls

64 lines (33 loc) · 3.89 KB

Analysis

  • This sample comes as a .doc file in OLE2 format. We can see one embedded macro in stream 7 below.

Pasted image 20240628152837

  • The contents of that stream appear to heavily obfuscated, but there is some readable text.

Pasted image 20240628153733

  • Above, we can see a reference to 1Normal.ThisDocument - ThisDocument being the name of the VBA macro we identified earlier.

Pasted image 20240628153756

  • Looking at stream 4, we see text like ThisDocument.AutoOpen. In VBA, AutoOpen is a special macro that automatically executes when a word document is opened - it is very commonly used by malware.

  • So at this point, we know that according to stream 4, the macro in stream 7 will automatically execute (as long as macros are enabled). The next thing we need to do is closely analyze stream 7.

  • To start, we'll search for the sample in VirusTotal and see what results we can get back.

Pasted image 20240628154234

  • Cyrillic. Russians.. every single time.

  • The sample generates an HTTP GET request to http://imperialenergy[.]ca/js/bin.exe. So at this point, it's beginning to look like a dropper.

Pasted image 20240628154401

  • It looks like the second stage payload gets staged under the Internet Explorer cache folder.

Pasted image 20240628154522

  • Looking at the plaintext contents of the macro, it does a few key things:

  • Implements a function named XORI which XORs input strings.

Pasted image 20240628155157

  • Implements a function named HexToString which converts input from hex format to ASCII.

Pasted image 20240628155237

  • Runs multiple Auto_Open subroutines which include GoTo commands with gibberish text. These are designed to mislead the RE.

Pasted image 20240628155320

  • Implements a subroutine that appears to initialize and provide the necessary parameters for network operations:

Pasted image 20240628181647

  • Implements an obfuscated function named VYXQPXIETSZ which performs the callout to download the second stage:

Pasted image 20240628181427

  • Fortunately, the obfuscation is not too complicated. The GoTo instructions do not fundamentally change the execution flow and the functions are straightforward in their design.

Summary

  • This sample is a maldoc containing an embedded VBA macro that calls out to imperialenergy[.]ca to download and run a gzip encoded second stage bin.exe.

  • Once downloaded, the second stage gets placed in the Internet Explorer cache folder and executed from there.

  • At the time of this writing, the payload was not available for analysis.