It might be this approach is not new but still effective and very good example to hide the code from file based detection or even behavioral detection that checks specific pattern in the Command Line (like sysmon) without using encryption algorithm or obfuscation engine to hide its main code.
So lets start!
The Macro Code:As usual the macro code is obfuscated to make the static analysis difficult and to bypassed heuristic file based detection.
|fig. 1 - obfuscated macro code|
The Malicious CMD script:at first look to the extracted batch script in fig. 2 it seems like the code is none sense or encrypted, but actually it was not. The script is only in reverse form fill with escaped character "^".
|fig. 2 - obfuscated batch script|
if you see the first code of the batch script it uses the '/V' that may enable "delayed environment variable expansion" and "/C" that give us a hint that the remainder of the command line is processed as an immediate command in the new shell. usually separated by "&" or "&&" characters.
|fig. 3 - the loop that reverse the string.|
so by using python script, we can normalized this quickly.
|fig. 4 - python script to normalized the obfuscated batch script|
|fig. 5 - output of python script|
after reversing the malicious script you can quite read the code, especially after we removed the escape character "^" . But the actual interesting stuff here is this script will only reverse the portion of its code then execute it without removing the escape character, why? because the CMD can still execute this script even it contains those escape character ("^" means that the character follows it will be treated literally).
|fig. 6 - cmd example|
Conclusion:The technique above show how malware author really use all available stuff within windows system to bypassed detection (example string detection) . ML classifier detection that use this characteristics as features, behavioral detection, sysmon (regex and character existence count) and other detection approach can still be use to detect this code. :)