Sha1: 98010df0a368151f9d831d3e18e957137600d142
Filename: Purchase Order _ 5894568.doc1.bin
I found a macro malware sample hosted by the spam
campaign happened last October 10, 2017 and the technique to hide its encrypted
code was interesting.
at first, the document looks so suspicious where it
contain a picture shown in fig. 1 and ask user to enable the macro to see the
document.
|
|
|
fig. 1:
common macro social engineering approach
|
And using Didier Stevens tool 'oledump.py', I do
a quick static analysis and confirmed that the document contain macro code.
|
|
|
fig.
2: macro code
|
So I look more deep to the macro code and found an
interesting stuff how it hides the b64 encoded script code on its body. It used
the BuiltInDocumentProperties(´comments´) to hide it. It will parse that base64 encoded code
with specific length then concatenate it to other b64 encoded string to form
the script it will execute using powershell –e.
|
|
|
fig.
3: b64 encoded script
|
As I decode the base64 string, it will produce an
obfuscated script as shown in fig 4. and using some python script it will show
that it will download .exe file to some malicious url link save it in %temp%
and then execute it without user consent.
|
|
|
fig.
4: obfuscated script
|
|
|
|
fig. 5:
decrypted script
|
