MalDoc Analysis – Dosfuscation

Last night a colleague showed us an email which seemingly looked like a Phishing email. Best thing was the Threat Source had done a proper recon to identify individuals working in the company. The redacted portion was the name of an employee from an upper position

The mail states that an amount of $1,872.35 was sent to X with a link to check the Transaction Details

I observed some issues with the mail:

  • No space in Bankofamerica
  • Mention of BankofAmerica on top and Bus Banking Customer Support below
  • URL points to a non banking site

I expected that the ‘See your transaction Details below’ link would take me to a phishing page, but instead it gave me a download of a Word .doc file

File Name: ACH 5111FJNC Aug-06-2018.doc
MD5: c27c4a3e036dd49004b18ec0b2ebdbef
SHA256: afc7144b0a9b76e39cae60513beda1162255d5084514d142d011f36f7a807218
File Size: 100 KB

I had covered doing an analysis of Geodo in an earlier post

I decided to proceed with just static analysis in this case.

Running oledump, it was observed that there were multiple macro streams but oledump marked two macros as suspicious – Macros with stream numbers 8 and 15. Stream 8 had a size of 1883 while Stream 15 had a size 10154

The streams store the Macro code in a compressed format. To view the VBA Macros we need to use the -v option and specify the stream number

Macro Code for Stream 8

Analysing the above code, there are a lot of Attribute variables. We can even see there is a Shell reference along with Cstr functions using c and m as arguments

Macro Code for Stream 15

Long Error Prone Method

Analysing the above code we can see that there is a lot of lines having ‘=’ in them. Probably some values are being assigned to some variables. We can filter the lines using grep for ‘=’

Analysing the above lines, we can see that there are a lot of + operators used which indicates concatenations. Most of the code involves concatenation of a comma separated list of integers which are assigned to some variable. There are few lines which have the concatenation of variables. ” + ” is repeated a lot, so we can try to replace it. We can use sed to do that.

  • Remove ‘ + ‘
  • Remove “”

Thus the overall code now looks like

In the above code, we can ignore the lines in red since they are either Attribute lines or the concatenation of variables. I’ve extracted the lines out and created a file called malcode

It will take many steps & trial and error before we are able to get some code. If you compare the below code with the code in the Short Method, you will see that there are errors in the below code

 

SHORT Method – Using RE-Search & SETS

An efficient way would be using Didier Stevens re-search.py tool which will allow us to extract strings based on regex

The first line ‘nNiWjTCZoGGkEj’ is the value assigned to Attribute VB_Name. So we can grep out that line

We can see there is ‘set zu’ which probably is setting the value of a variable. Switches -eu will allow us to view all non-empty strings as well as remove the inverted commas from the output. We can then combine the lines using the sets.py program

sets.py allows us to perform operations like join on a group of lines

The final output will be

Code Observations:

  • zu is assigned a string ‘LDOzQcMcQijUATsujiHWBiPikSvjLKCk\9(wIh)G$:N+.0md6ftb5p{e=n,x-/l ;a8qVFroy@’g}’
  • The string is 77 characters long
  • There is a For loop that iterates over different integer values where the iterator is ‘n’. The integer values are all less than 77
  • The values of the for loop are mapped to the positions of the string. Eg  76 is }
  • As soon as the value of n=84, it calls %8GF:~5% which terminates the execution

We can then use some Python to find the deobfuscated code:

The final de-obfuscated code is PowerShell code

Analysing the above code, it’s observe that:

  • There are a list of 5 URL’s separated by @. Split function is called which stores them in the array $VNj
  • Connections are made to each URL to download the file (payload)
  • The payload is saved into the temp folder with a filename 589.exe
  • Once the file has been downloaded, it is executed

 

Payload URLs:

hxxp://abovecreative[.]com/BD
hxxp://www[.]osotspa-international[.]com/hPP
hxxp://tatoestudio[.]com/tQqtTFy
hxxp://baongocspa[.]vn/O6
hxxp://www[.]yuanjhua[.]com/G0xiwTF

Associated Payload IPs:

208.97.178.121
203.107.228.108
103.28.37.245
103.28.36.25
50.93.198.131

You can view the Virus Total report for the payload files here 

References:

About the author

Lionel Faleiro

Photographer | Ex-Univ Professor | SysAdmin | Trainer, Security Analyst & DFIR Enthusiast |

View all posts