First Layer Payload:
The first layer of the payload is decoding the data place in the "J106" column of hidden workbook sheets name as "YVKKB". |
| figure 1: the first layer of the actual Payload |
below is the snippet of the code how it parse that data and decrypt it to generate the 2nd layer of the payload.
 |
| figure 2: decryption routine for the 2nd layer of the payload |
2nd Layer of the Payload:
The next layer is a Powershell script that will decrypt the last layer of the payload and execute it. the powershell will be executed using "winmgmts:\\.\root\cimv2:Win32_Process". |
| figure 3: the 2nd layer of the payload |
Last Layer of the Payload:
The last layer is a C# code that will be compile at run-time to download its actual malware payload by using the csc.exe to compile the C# source code. The compile file will be drop in %temp% folder to download in "hxxp:://newsin.gr/PO--.exe." |
| figure 4: the actual payload |
 |
| figure 5: the command used by this malware to compile the C# source code. |
IOC:
VT: https://www.virustotal.com/gui/file/0258c83e24291d57eb6367bcd961927ffb96545e93ca2041ab10aceaf49d3216/detectionSha1:512387b2bcc52aadfbb4169cf7df2b656ea9b790
MD5: a4582e8ec4456c6a3b03a09f266bd60a
Sha256: 0258c83e24291d57eb6367bcd961927ffb96545e93ca2041ab10aceaf49d3216
payload URL: hxxp://newsin.gr/PO--.exe
payload executable: https://www.virustotal.com/gui/file/bb7ddc9f8b9de07a862d059db752019a8be247b7e491bbe7a36a154ae0be41ec/detection
Notes:
This macro malware technique tries to bypassed the common detection for the office document that has a suspicious child process. Since it used "winmgmts:\\.\root\cimv2:Win32_Process" to execute the Powershell script, the executed Powershell process will be a child process of WmiPrvSE.exe not by the office document itself. |
| figure 6: bypassing the parent-child process detection |
I hope you enjoy this blog post. :)
