Previously, we have written about MalSpam attack in Japan.
Recently, we have found several emails that are being sent out targeting DBS users.
[ Sample used in the analysis ]
[ Part 1 : Getting Started ]
For those who want to follow along, this is a link to the .eml file d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A”
Opening up the .eml file with VisualStudio Code, we can see that the email contain a malicious DOC file(271-20170627-55147_109.doc).
We can also see the contents of that email.
This attached Advice is sent to you for information only.
This is an automatically generated notification.
Please do not reply to this email. Contact us at our corporate hotline at 1800-222-2200 between
8:30am to 6:15pm, for any service requests.
DBS Bank Ltd
However, we are more interested in the malicious DOC file. Let’s Base64code decode that back into a DOC file. After decoding that back to a file, we can see that this malicious DOC file contains VBA as shown in the image below.
As the VBA is quite short, we can extract out the decryption method and make use of dotnetfiddle to have a quick decryption of the strings. I’ve made a simple fiddle to show the deobfuscated strings here:
As you can see here, the VBA will attempt to download the payload from
The downloaded payload is developed in VB.net.
A quick analysis on the downloaded payload indicates that it’s most likely a dropper.
So let’s load it up in OllyDbg and set a “BreakPoint” on “WriteProcessMemory”
Now let’s do right-click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
Now right-click on “Buffer” and click on “Follow in Dump” and you can find the dropped payload at 0x037C0150
We can use de4dot to deobfuscate it and we should get back a cleaner version of it as shown below.
As i don’t want to bore everyone. A quick look at the deobfuscated strings, the malware is most likely AgentTesla.
The stolen credentials are sent back via email to:
username: [email protected]
I’ll update this post as i find time to take it apart.
Thanks & Regards
Emails containing malicious Doc
Downloaded Payload – 702a17b7accceaa6ffb817a3adf37323a34944d643cbb4524c4e6b7c0900c5e5
Dropped Obfuscated TeslaAgent – 4B6164F16309F6E8426FB89F4AF810929FE574B2EBB724F5CB2237863736E316
Deobfuscated TeslaAgent – 6EAD076346EC568160821BB47F49D463689656F102EDAA06DBA907FDAE3FD5AE