Malware Analysis – VBA Macro sample 128623cda77296ec4cd94eef06068de95b7128dfdb16a4e6f8d7269da218d8ed

1) Sample Details:

Hash:

MD5 – 40e2f412a8f47b43e7d2336e22bec6f4
SHA-1 – 10a4c26ba2b0ed617ba367d41feef975e2dc30b7
SHA-256 -128623cda77296ec4cd94eef06068de95b7128dfdb16a4e6f8d7269da218d8ed

File:

$ file rents.xls
rents.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: ������������ Windows, Last Saved By: ������������ Windows, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 20 13:33:43 2018, Last Saved Time/Date: Thu Jan 10 15:32:15 2019, Security: 0

2) File has macro and has additional image that describes the importance of enabling macro :p

3) Extracted the Macro and reviewed indicators using olevba.py

$ olevba.py rents.xls > rents.txt

Decided to review the Macro manually after playing around with strings.

4) The vba macro was obviously obfuscated, observed a lot of comments (starting with ‘ ) that looks like code, removed those to make the code more readable. Observed the below function that refers to data in the cells.

Deleted the image in sheet ‘qw’, however did not observe any data initially.

Reviewed further and observed that there was some obfuscated data and it was not visible as the ‘Font Color’ was white (classic obfuscation technique). Changed it to red and observed the below results.

5) Decided to debug the function GetDecStr2 using Visual Basic Editor as it was used in the call.

Setup the breakpoint, did further analysis and was able to get the de-obfuscated data as it was a For Loop:

Find below the Obfuscated and De-obfuscated data:

6) So the Call..

becomes..

Which is the malicious powershell script that will run on the machine.

7) Got 404 Error from below servers while doing dynamic analysis, looks like the server is not listening at the moment.

198[.]46[.]190[.]41/knot1[.]php
198[.]12[.]71[.]3/knot2[.]php
107[.]172[.]129[.]213/knot3[.]php

8) Did some OSINT search and was able to get the below PCAP associates with connection to 198[.]46[.]190[.]41/knot1[.]php.

https://www.virustotal.com/gui/file/c07664bf4a2def00489358ba8b3751375a4d74f2f93a00aa2ab946b20bbde055/detection

We can see from the PCAP that the connection gets redirected to 198[.]46[.]190[.]41/largo[.]vin and malicious PE file 949c9c16bc08e6cc33d2a16b0b04bb3be3ca753f63e556209e29b304c729c7ca gets downloaded which will then be executed as tmp0251.exe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s