At first run, the office document file crashes and when you open it again you can tell right away that the file is suspicious one.
 | ||
| fig. 1 - the malicious document |
During my initial analysis, I tried to removed the page color of the document to check if it hide some interesting stuff or hint in analyzing this macro. and yes there was, It contains an ActiveX Control Object that hide in original document because it is also color blue.
 |
| fig. 2 - the hidden ActiveX Control Object |
So I've checked the VBA Code in developer menu and my initial analysis is right, The macro used Sub InkPicture1_Painted() ActiveX Control function to trigger its malicious code.
 |
| fig. 3 - ActiveX Control Function |
but the interesting stuff will not end here, because the file also used UserForm to execute its malicious VBA macro code. At first look it seems like the form needs a human interaction to execute the suspicious function "sidfi()" declared inside the private sub function TextBox3_Change(). this function will be triggered if there are some changes happen to TextBox3 values.
 |
| fig. 4 - the userform and its trigger |
 |
| fig. 5 - I modified the textbox3 to test and trigger the interesting function |
if that is case, how does the macro automatically execute its code if the textbox3 need to have some changes before it trigger? the answer is in the Sub InkPicture1_painted() function.The function trigger test3 function with parameter "toto".
Demystifying the macro code flow:
The "test3" function will put "toto" string on textbox3 if the UserForm1.Label1 is equal to 1.since the changes happened to the textbox3 sidfi() func. will be trigger that are responsible in decoding the encoded string using the decoding string table in textbox1 and constant value of 5. below is the execution of its code.
 |
| fig. 6 - the macro code flow |
and as a payload it will execute 2 powershell command to download trickbot to the infected machine.
 |
| fig. 7 - the malicious powershell |
