It seems that macro based document are, again, used to spread malware. Even the Malware Protection Centre from Microsoft mentioned it recently. Seems like an old trick, but apparently works like a charm. Most probably users trust too much Office documents as they keep exchanging them multiple time per day as part of their business/private activities. Most malicious Office documents have a macro that actually download a malicious file. Let’s see a quick way to have a better view on what exactly is happening.
Let’s look at a very recent example. @ConradLongmore has identified some new variant coming via a malicious email:
— Conrad Longmore (@ConradLongmore) January 12, 2015
Samples can be downloaded from malwr.com here and here (two variants). Interestingly enough malwr.com don’t see any network activities (probably because the macro failed to activate). This is a bit strange because doing some more static analysis and you can actually find two links (one per file) that redirect to a malicious executable.
Just to confirm the file type we run a quick “file” command. We can also see that both file have been apparently modified very recently and with a two minutes interval:
Let’s look at the content. Those two files are actually .doc and therefore in OLE format (.docx/.xlsx/.pptx are in a different format – basically zip file). In that case one of the best tool available is oledump.py from Didier Stevens (also known for his PDF tools…but we will talk about that in an upcoming post).
Equipped with this tool you can find quickly a link to a malicious file. Let’s list the content of the files using a basic oledump.py command, as expected both files actually have one macro:
Let’s have a look at the content of the macro. We can use the flag -s (for the stream with the macro, number 7 in this case) and -v (as the script is actually compressed). We can save the output to a file in order to review it…oups…its seems that the content of the script is actually obfuscate by what looks like random variable/functions name. You can make an opinion for your self by looking at it here and here [pastbin links].
So if you are not ready to de-obfuscate this code, you can use a very useful plugin provided by Didier Steven. Let’s try it, use the -p flag and the plugin_http_heuristics:
Bingo! got a hit! one link per file. One is: hxxp://shared.radiosabbia.it/js/bin.exe and the other hxxp://haselburg.cz/js/bin.exe
Those two files are actually the same. This time malwr.com can see some network activities going to 220.127.116.11 [virustotal.com link] and 18.104.22.168 [virustotal.com link] which seems to be some well-known C&C IPs.
One last thing, if you are actually interested in the de-obfuscation of the code here is a quicker way. With the assumption that the macro are the same, at the exception of the link, you can do a quick diff on the code extracted with oledump.py:
Seems that it is the variable eFdsgfsdg that store the URL.