While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked my interest was every cell’s value was either empty or contained a float of range 0.0 to 2800.0. Let’t find a sample in our data and get it done!
Figure 1 – Analysis of VBA Macros
We can see from olevba and oledump that the spreadsheet contains VBA macro code and has a function triggered by an ActiveX event. Let’s see what
Figure 2 – hellioso VBA function
Much of the VBA code overlaps my previous analysis: loop over all cells containing constants (xlCellTypeConstants), perform some deobfuscation, split the resulting data on various special characters. What we are interested in is the deobfuscation technique, and this one is rather innovative.
Basically, a list is initialized and then the float value in each cell determines the offset into the list to modify and the row of the cell, mapped to an ASCII character, determines the modified value. The second half of the deobfuscated data (
okd) must be the XLM macro as each command is inserted into the spreadsheet and executed. The data is split on
] to separate each command. And the first half of the deobfuscated data (
nnk(0)) is probably a list of URIs, as any
? in the XLM macro is replaced with a random element from this list. The data is split on
$ to separate each URI. If we dump cells from this spreadsheet and load them into python, we can quickly deobfuscate the code and dump any IoCs.
Figure 3 – Loading and Deobfuscating the Data
Figure 4 – Deobfuscated XLM macro and IoCs
And the email that started it all.
Figure 5 – Original Email
Appendix – IoCs
|IoC Type||IoC Value|
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.