1) Sample Details:
MD5 – 40e2f412a8f47b43e7d2336e22bec6f4
SHA-1 – 10a4c26ba2b0ed617ba367d41feef975e2dc30b7
$ file rents.xls
rents.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: ������������ Windows, Last Saved By: ������������ Windows, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 20 13:33:43 2018, Last Saved Time/Date: Thu Jan 10 15:32:15 2019, Security: 0
2) File has macro and has additional image that describes the importance of enabling macro :p
3) Extracted the Macro and reviewed indicators using olevba.py
$ olevba.py rents.xls > rents.txt
Decided to review the Macro manually after playing around with strings.
4) The vba macro was obviously obfuscated, observed a lot of comments (starting with ‘ ) that looks like code, removed those to make the code more readable. Observed the below function that refers to data in the cells.
Deleted the image in sheet ‘qw’, however did not observe any data initially.
Reviewed further and observed that there was some obfuscated data and it was not visible as the ‘Font Color’ was white (classic obfuscation technique). Changed it to red and observed the below results.
5) Decided to debug the function GetDecStr2 using Visual Basic Editor as it was used in the call.
Setup the breakpoint, did further analysis and was able to get the de-obfuscated data as it was a For Loop:
Find below the Obfuscated and De-obfuscated data:
6) So the Call..
Which is the malicious powershell script that will run on the machine.
7) Got 404 Error from below servers while doing dynamic analysis, looks like the server is not listening at the moment.
8) Did some OSINT search and was able to get the below PCAP associates with connection to 198[.]46[.]190[.]41/knot1[.]php.
We can see from the PCAP that the connection gets redirected to 198[.]46[.]190[.]41/largo[.]vin and malicious PE file 949c9c16bc08e6cc33d2a16b0b04bb3be3ca753f63e556209e29b304c729c7ca gets downloaded which will then be executed as tmp0251.exe.