- This sample comes as a
.doc
file inOLE2
format. We can see one embedded macro in stream 7 below.
- The contents of that stream appear to heavily obfuscated, but there is some readable text.
- Above, we can see a reference to
1Normal.ThisDocument
-ThisDocument
being the name of the VBA macro we identified earlier.
-
Looking at stream 4, we see text like
ThisDocument.AutoOpen
. In VBA,AutoOpen
is a special macro that automatically executes when a word document is opened - it is very commonly used by malware. -
So at this point, we know that according to stream 4, the macro in stream 7 will automatically execute (as long as macros are enabled). The next thing we need to do is closely analyze stream 7.
-
To start, we'll search for the sample in VirusTotal and see what results we can get back.
-
Cyrillic. Russians.. every single time.
-
The sample generates an HTTP GET request to
http://imperialenergy[.]ca/js/bin.exe
. So at this point, it's beginning to look like a dropper.
- It looks like the second stage payload gets staged under the Internet Explorer cache folder.
-
Looking at the plaintext contents of the macro, it does a few key things:
-
Implements a function named
XORI
which XORs input strings.
- Implements a function named
HexToString
which converts input from hex format to ASCII.
- Runs multiple
Auto_Open
subroutines which includeGoTo
commands with gibberish text. These are designed to mislead the RE.
- Implements a subroutine that appears to initialize and provide the necessary parameters for network operations:
- Implements an obfuscated function named
VYXQPXIETSZ
which performs the callout to download the second stage:
- Fortunately, the obfuscation is not too complicated. The
GoTo
instructions do not fundamentally change the execution flow and the functions are straightforward in their design.
-
This sample is a maldoc containing an embedded VBA macro that calls out to
imperialenergy[.]ca
to download and run agzip
encoded second stagebin.exe
. -
Once downloaded, the second stage gets placed in the Internet Explorer cache folder and executed from there.
-
At the time of this writing, the payload was not available for analysis.