Malware Analysis – Microsoft Word (VBA Macro Downloader using PowerShell)

1) Sample Details:

MD5 – 5ab2c99e5b4673494c2b37da10442bc3
SHA-1 – 00d379f6e1d040a185f7c7d678879360a1570b47
SHA-256 – 05e1e27194872ea82491a474afd2273bdad56e2b61172453ef3e771be6965c82

$ file PT798800-TT000768-11.doc
PT798800-TT000768-11.doc: Microsoft Word 2007+

2) Right away we see the suggestion provided to enable macro and a “100% Virus Satisfaction Guaranteed Seal” with a check mark next to ‘No Download’ (seems legit :p).

3) There was a lot of Junk Code like empty variables in the VBA Macro:

did some basic clean-up and got the below code:

4) After further analysis..


Setting up a breakpoint on second instance of ‘XSxMDWlQw7O6442qdqr2ktnsz_Jzu__o__YHxzT81ZK4S_AvPvVT’ and executing gives us the below result:

5) So , ‘XSxMDWlQw7O6442qdqr2ktnsz_Jzu__o__YHxzT81ZK4S_AvPvVT’ becomes the below:

which is the same as mentioned below, this malicious script gets executed in the device:

This is base64 Encoded, below is the decoded version:

So, Possibly a PE File will be downloaded from the below link, moved to Temp Folder as TLEWf5fHN4.exe and will be executed


6) Tried running the PowerShell script in my Lab and observed the below results

Lab Setup:
Windows 10 – Does not have Internet Connectivity.
REMnux – Is the Default Gateway for W10 and has fakedns and INetSim running.

We get the ‘File or directory is corrupted and unreadable’ as it’s the fake file provided by INetSim.

I was able to download it manually, the downloaded PE File is 569044a286d02a335b7febfe434b1779655bbe54bd872eed6c04ec8eacc78e9f

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s