Macro Code:
As we go through to its macro code, a bunch of "Debug.Print" command will welcome us. but actually those code are garbage or dummy code to make its macro code looks complicated and hard to read like the screenshot below. |
| figure 1: the macro dummy/garbage code. |
But actually the main code that this macro code will execute is the builtin VBA command InlineShapes.AlternativeText. base on Microsoft documentation it is a function that return or sets a String that represents the alternative text associated with a shape in a webpage. Read/write.
In this case it will return the actual powershell script that will download the actual URSNIF malware.
 |
| figure 2 : main code of this macro malware |
 |
| figure 3: the actual powershell script that this macro tries to execute |
upon decoding the base64 encoded Poweshell script, you can easily see what it tries to do. It will download a malicious executable to its C&C server and drop in common %appdata% as "GNsstGv.exe".
 |
| figure 4: decoded powershell script |
IOC:
Sha1: abf7656a677a250bdfd47ffebf6851b35b94b028Sha256: 0cd3c30d9da5be2c53d70bf75ca150b0c2a1fe7ab886cf725fd82c263b440fd3
md5: 56b6872f4e37ea81dfae9d1f6ef4224d
url: hxxp[:]//quo75fbm.club/skoex/po2.php
