BlackEnergy .XLS Dropper

Published: 2016-01-11
Last Updated: 2016-01-12 20:42:32 UTC
by Didier Stevens (Version: 1)
5 comment(s)

The malware used in the recent Ukranian cyber attack was (allegedly) delivered via a malicious spreadsheet. I analyzed this maldoc (97b7577d13cf5e3bf39cbe6d3f0a7732) and it's very simple: the macro runs automatically, writes an exe to disk (embedded as an array of bytes) and executes it. There's no obfuscation of the VBA code or encoding of the PE file.

If you want to practice the analysis of such documents, I have something for you: I produced a spreadsheet that uses exactly the same method to embed a PE file, but it has no code to write to disk neither to run the payload. And the VBA code doesn't run automatically. And in stead of a PE file, I embedded a JPEG file. So this example is very safe. You can download the example here.

In case you have no idea how to get started, I have a video for you where I show my analysis method.

You can find the tools I used on my blog.

But there are many ways to analyze this example. Please post your method in a comment. And also, let me know what you think of the picture.

Update: according to a Twitter exchange, the .XLS maldoc is from an incident involving a power company (August), and the more recent incident is with another maldoc. Tweets here, here, here, here.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

Keywords: blackenergy maldoc
5 comment(s)
Please Participate in the SANS Application Security Survey https://www.surveymonkey.com/r/2016SANSAppSecSurvey
ISC StormCast for Monday, January 11th 2016 http://isc.sans.edu/podcastdetail.html?id=4817

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives