This shows that the attacker took some time to research separate communications and specifically targeted certain users to where he/she would be able the exploit their trust.
The malicious document in questions was called “OAC_Request.doc” and while it seemed legitimate there was one thing that stood out and should have raised a red flag upon opening the document.
The second we see a document showing an image like this with the instructions of clicking “Enable Editing” or “Enable Content” then we instantly know there is a malicious macro attached.
NOTE: The image above doesn’t show the yellow “Enable Editing” button as this was a screenshot from Hybrid Analysis and macros are enabled there to allow for dynamic analysis of the macro.
 Malicious Document - SHA256:f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47
Alright, now that we have our hands on the Malicious Document we need to safely extract the macro to see what its doing.
There is actually an amazing tool that we can use for this called oledump.py which was created by Didier Stevens and allows us to analyze OLE files and the stream of data contained in them.
But for oledump to work, make sure you have Python 2.7.14 installed on your Windows VM. Once installed open up a Command Prompt and navigate to the folder where you downloaded and extracted oledump. Also, make sure to move over the malicious document that you want to analyze into that folder as well.
From our command prompt we can simply run
oledump.py along with the name of the malicious file to view all the streams.
The letter “M” next to the steam indicates that the stream contains a VBA Macro. In this case it’s stream A3.
Once we know which stream contains the VBA macro, we can dump its contents with the
-s switch followed by the stream number.
At this point you might be thinking… “Crap, its junk!” but don’t worry, it really isn’t. The source code of VBA macros is compressed when stored inside a stream. So what we can do is use the
-v switch to decompress the VBA macros and we should see the source code!
Awesome! We got the source code of the macro. An initial look over it shows that the variables have weird names, this is done for obfuscation and to throw off anyone trying to analyze the macro.
Some might suggest to try and decode the variable names, or other stuff… but don’t worry about that at all. We can keep the variables as is and just simply debug the VBA Macro to see what the code does.
To start, open up MS Word and press ALT+F11 to open up the MS VBA Console. This will allow us to paste in the macro and debug it.
Once we have that open, copy the whole macro but without the attributes. In this case we copy everything from
Sub AutoClose() as shown below.
Let’s take a quick look at the first few lines of the macro to see what it does.
We can see that an Array called
roans is established. Next the author create a new variable called
totoro and sets it to
ceraunogram which takes in the
We can assume that
ceraunogram is some sort of sub procedure for this macro and that it’s output is the malicious command.
The next line verifies our assumption, as we can see that
Application.Run is being called against another sub procedure
chillumchee which starts up a VBA Shell and executes
Just note that when debugging, make sure you don’t execute or step-through the
Application.Run command if you’re doing this outside of a Isolated VM, as that will execute the macro.
Now that we know how the macro initially works, we can utilize something called the Watch Window in VBA.
The watch window can be used to inspect the state of a variable. The malicious macro in this document stores de-obfuscated information in global variables and then uses this de-obfuscated information in later variables.
We can use this watch window to “watch” for how the variables change, and what malicious code is initially de-obfuscated to be used by the macro.
If you click on the Watch Window icon, the watch window will be displayed at the bottom of the vba console. To add a variable to the watch window, right-click on any variable in the code window, and select Add Watch.
We’ll start by adding a watch entry for the global variable
Once done, you should get a pop up window for the expression you want to add. Go ahead and click “OK”.
After that, if you look toward the bottom of the screen to the watches window, you should see your expression there and it’s current value.
Ok, so we now have a new expression that we can watch. But before we add anymore expressions let’s step into the macro to start debugging it.
To step in, simply press F8.
Press F8 a few more times till we step into the
ceraunogram function, or whatever the first function is if you’re analyzing a different malicious macro.
Once in the function let’s add
erasable into our watch window before we continue.
Alright, let’s quickly analyze this function.
We can see that there are two new array’s established,
roughhoused. We also see that erasable is set to a Null String, and also see that at the end of the function
erasable is called again but this time against the StrReverse function. The reversed string is then set to the
At this point I can fully assume that
ceraunogram will be our malicious command.
Let’s go ahead and step in a little till we get to the
For Each loop.
Here we see that for each
paraphrenic or I guess we can call “item” in the
roans array we run another function called
trinely which takes in the item from the
roans array, and also takes the
malope array as a parameter.
The output of that is then set to the expression
ore which seems to be an integer based on the next line. Afterwards,
erasable is set to equal an element from the
roughhoused array whose position in the array is declared by the
This loops seems to go through multiple times and is constantly added to the start of
Right - from here we can step in 2 more times and see what the
trinely function does.
Quickly looking over it we see that this function is pretty similar from the one before. This one takes an element (
drolled) from the
preludium array which technically is the
malope array and steps through till the letter in the
malope array is the same as the one in the
germaneness array which is the current element in the
If it is, there is some math done, and the integer is passed onto
ore in the previous function, which then pulls an element from the
roughhoused array and sets it to
I know that this might seem confusing right now, and that’s the whole point of this macro - it’s to make it hard to decode and understand it.
Okay, enough explaning. Let’s make sure we add
russophobist into our watch window and let’s see this in action.
Right away we can see that
germaneness is set to “d” which is the first element in the
roans array. If we step through a few times we can see that
drolled changes it’s element from the
Alright - so we have a little understanding of what’s going on. Let’s keep stepping through till we get to the
At this point, if we take a look at the
erasable expression in the Watches window, we will see that it’s currently set to “m”.
From here if we keep stepping through we should see more letters being added to the
I have added a small video below that demonstrates me stepping through the macro. Pay attention to how the expressions variables change and how they start forming a command in the
erasable variable. Toward the end I just held down F8 to step-in faster just to show you the initial start of the command.
NOTE: I suggest that you open this video in a new tab to better see what’s going on.
After a few hundred or so step-ins we can see that
erasable forms the word “.athsm”. And if we reverse that, just like macro does we get “mshta.”.
So from the gist of it we already know that this command will be utilizing the mshta Windows exe which is used to execute .HTA files.
Alright, now that we know that, we now need to find out where the HTA file is being downloaded from.
From here, we set a break-point on the
ceraunogram function where the string reverse takes place.
We can set a break-point by just clicking to the left of the line. A red dot with a red highlight will show up, acknowledging that the break-point has been set.
One we have that in place, press F5 to continue macro execution. The macro should stop directly on our break-point.
After that’s done, let’s take a look at our watch window, and we should see that the
ceraunogram expression contains the malicious mshta command.
This shows that mshta.exe reaches out to the malicious URL and downloads our malicious HTA file.
Now that we know what our macro does, we can go ahead and close out the debugging window as we don’t need it anymore.
At this point, we need the HTA file to see what other commands are executed. To do so, I utilized Hybrid Analysis again to download a copy of the dropped HTA file.
A quick look at the code we can see that the function
lopomeriara contains our malicious command. We can see that the decodeURIComponent function is being used which will decode the URL encoding to ascii and then replace is used to remove all whitespaces.
This in turn changes
Okay - so we are making progress! This HTA file seems to be executing some sort of PowerShell command on the device after the macro is ran.
What we need to do now is decode the
lopomeriara variable in full. To do so, I utilize NodeJS which is installed on my Windows VM.
Simply start NodeJS by typing in
node in your Command Prompt and then just paste in the variable.
After that’s done, simply run the console.log function against the
lopomeriara variable and this will give us the output of the PowerShell command!
Awesome! So we were able to find out what the malicious macro was doing, and we now know that the PowerShell command executed by mshta downloads 2 more files, saves them as executables and executes them.
At this point I ran the URL’s from the PowerShell command through VirusTotal to see what AV’s detect it, and what kind of malware this is.
At the same time I uploaded the executable to Hybrid Analysis to have some dynamic analysis done on the exe’s.
Initially we can see that this exe is being detected as Gozi and Ursnif.
 Malicious EXE - SHA256:a12830390ff7a7c52aaea328bfb990937dd2743475cad44a1ab458159000514b
Further analysis of this exe in Hybrid Analysis shows us more HTTP and TCP traffic which can server as IOCs for us.
At the same time we can download a PCAP of the network traffic from the exe’s which can also help us in identifying IOCs.
These IP’s can then be added to our firewall to prevent any outbound connection in case an infection occurred.
So just a quick recap on what we did.
At this point what we can do is blacklist the URL’s and the certain IP’s on our firewalls, and even write YARA/NSM signatures to detect and prevent this malicious document from downloading and executing the files.
Simply by just blacklisting the URL’s where the files are downloaded makes this malware useless.
Well, that’s pretty much it! It’s not too complicated and any Blue Teamer can do this to quickly learn what a Malicious Macro is doing.
Question, or comments? Just leave them below and I will try my best to answer them or clarify anything!
Thanks for reading!
Leave a Comment