This Trickbot document hid a .dll in an interesting place. If you’d like to play along, you can find the document and dropped .dll here:
Document: https://app.any.run/tasks/96c149ce-b01a-4543-a8d4-2b98bb18b9c7
Document Password: INV15
SHA256: 052C9196DFE764F1FBD3850D706D10601235DC266D1151C93D34454A12206C28
Dropped File: C:\programdata\objStreamUTF8NoBOM.Vbe
Dropped File: C:\UTF8NoBOM\APSLVDFB.dll
Dropped .dll: https://app.any.run/tasks/5bc86667-aab3-4513-a433-3697d6a9d3eb
After supplying the provided password to open the document, I suggest that you remove it, save the document, and then use tools like oledump.py to extract the macro. Notice how it keeps making references to ActiveDocument.Range(Start and End) and ActiveDocument.Words.
The macro is pulling data from the current document, piecing them together, and then writing it out to this file and location:
C:\programdata\objStreamUTF8NoBOM.Vbe
Once that is done, the macro creates a Wscript.exe object and executes that .vbe file.
But where did it get all of that data? Where was it hiding in the document? Well, it wasn’t really ‘hiding’ in the typical places we see obfuscated commands (I’m looking at you, Emotet). In this case, it was hiding behind the the picture we see in the document itself. We can see the text below by deleting that picture and zooming in 400%.
You can fit an entire .dll on one page of a word document if you use 1 point font. Who knew?
The macro in the document takes the above characters, rearranges them, and writes them to objStreamUTF8NoBOM.Vbe. Here’s that .vbe file.
Near the bottom of objStreamUTF8NoBOM.Vbe, we can see the base64 decoding function. It gets copied to the following location:
C:\UTF8NoBOM\APSLVDFB.dll
The last two lines create a wscript.shell object and use regsvr32 to run the .dll.
And there you go! Thanks for reading!
Article Link: https://clickallthethings.wordpress.com/2020/09/16/trickbot-activedocument-words-is-the-word/