Payload instance analysis: Encrypted malicious documents

Payload instance analysis: Encrypted malicious documents

The malicious office document we analyzed today is a download tool: 2ELJ2E1OPJ0OT.doc

The oledump result shows that the malicious document contains a VBA macro, but the plug-in cannot extract the URL.

 

Now we use a new plug-in: plugin_vba_dco. This plug-in searches for declaration statements and created objects called:

 

In the upper part of the output (1), we can see that each row contains the Declare or CreateObject keywords, and the lower part (2) contains the call declaration function or the creation object.

Although the Code is obfuscated (string and variable name), according to the plug-in output, we can easily guess that Ci8J27hf2 may be an XMLHTTP object.

The open method of the XMLHTTP object requires three parameters: HTTP method, URL, and Boolean value (asynchronous or synchronous call ):

 

We can see that the last parameter is false. The first two parameters return the value of the IpkfHKQ2Sd function. This function requires two parameters: two strings. The first string connects to the Chr function, and the second string is a text string. Because the open method needs to use the HTTP method and URL as strings, it is very likely that the IpkfHKQ2Sd function is the decoding function, and two strings need to be used as input (meaningless for US) and then return a meaningful string.

The following is the original IpkfHKQ2Sd function:

 

The following is the result of the unobfuscation of the same function. The function name is not changed, but the useless code is deleted, the variable is renamed, And the indentation is added:

 

 

From this, we can see that the function uses a key (sKey) and XOR operation to decode a secret string. At the same time, we know that this is only a string processing function. It does not contain malicious or dangerous statements or function calls. Therefore, it is safe in the VBA annotator, so we do not need to convert it into other languages.

Next we will use this anti-obfuscation function in the new window to decode this URL parameter:

 

In the new window of the VBA Editor, we have the IpkfHKQ2Sd function and a test subroutine that will call the IpkfHKQ2Sd function. Use MsgBox to display the decoded string returned by the IpkfHKQ2Sd function. Execute this subroutine to obtain the URL:

 

Download this file. We can see that this is not a JPEG file, but it is not an exe file:

 

Search for. responseBody in VBA code. We can see that the downloaded file is passed to the IpkfHKQ2Sd function as a parameter:

 

This also means that the downloaded file is also encoded and obfuscated. It also needs to be decoded by the IpkfHKQ2Sd function (but another key)

To convert this file in our workbook, We need to load it into the workbook, decode it, and save the decoded file. You can use the filecontainer.xls tool to complete this step. First, load the file to the workbook.

 

 

FileContainer supports file conversion: we need to use command C and press the Process Files button

 

The following is the default conversion function, which does not change the function: the input and output are equal.

 

To decode the file, We need to update the Conversion Function to call the decoding function IpkfHKQ2Sd.

 

Then, after converting the file, we get an exe file.

 

This file is finally confirmed as a Dridex Trojan: lameACM

Postscript

It is very dangerous to reuse the code in malware unless you know what it is. You can use the decoded VBA function IpkfHKQ2Sd to quickly decode the downloaded file, but it is certainly not malicious. The anti-obfuscation process gives me the opportunity to see every declaration statement, so as to better understand the code and conclude that this function is not dangerous. At the same time, we can also use this obfuscation function. In fact, we are at risk because we do not know what obfuscation functions actually do.