this Macro technique was also used by other malware like ICEID. The technique is quite simple but really good in hiding its malicious code from AV detection.
Macro Code:
As we go through to its macro code, a bunch of “Debug.Print” command will welcome us. but actually those code are garbage or dummy code to make its macro code looks complicated and hard to read like the screenshot below.| figure 1: the macro dummy/garbage code. |
But actually the main code that this macro code will execute is the builtin VBA command InlineShapes.AlternativeText. base on Microsoft documentation it is a function that return or sets a String that represents the alternative text associated with a shape in a webpage. Read/write.
In this case it will return the actual powershell script that will download the actual URSNIF malware.
| figure 2 : main code of this macro malware |
| figure 3: the actual powershell script that this macro tries to execute |
upon decoding the base64 encoded Poweshell script, you can easily see what it tries to do. It will download a malicious executable to its C&C server and drop in common %appdata% as “GNsstGv.exe”.
| figure 4: decoded powershell script |
Article Link: https://tccontre.blogspot.com/2019/05/ursnif-malicoius-macro-document-using.html