MS Word and Macros… Now With Social Engineering Malware
On December 11, one of our employees reported a phishing email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:
Once opened, the document’s contents are blurred, and it asks recipients to enable macros in order to view the document.
Once enabled, the macro kicks off by executing a batch script via cmd.exe, which then executes visual basic script, which in turn triggers a PowerShell script. (Figure 3.)
The batch file is responsible for pinging 22.214.171.124 twice, changing the console code to the Cyrillic script (chcp 1251), and running the second file, adobeacd-update.vbs. (Figure 4.)
Next, the VBS file runs a powershell script with the command seen in Figure 5.
The powershell code is where the malware is finally downloaded. First, the file downloads “x.exe” from the domain highlighted, then saves it to the system as the filename “444.exe”.
Next, the script grabs the path name of the above scripts, saves them to a variable, sleeps for 15 seconds, and runs “444.exe”.
Once executed, the powershell script attempts to clean up by removing the other scripts used to execute it.
By looking in Wireshark, we can see the file being downloaded in Figure 9.
While the malware is packed, we can find some interesting things about the malware by analyzing the memory. First, by grepping before and after “[tab”, we can see that this malware has key logging capabilities, will more than likely beacon out to “tdglomeme[d]eu”, attempt to POST to “/log/index.php”, and feed the information back containing the string “0USER0”. (Figure 10.)
By looking at the pcap (Figure 11) and decoding the data (Figure 12) we can see that the data is presented exactly as seen in the pcap.
We can see that the malware is capable of copying contents from the clipboard as well as logging keystrokes. This data is then POSTed back to the attackers domain.
For a Yara signature, the attackers included a “vbaProject.bin” file in the docx file. The following Yara rule can help to pick up variants that contain this:
$a1 = “PK”
$a2 = “word/_rels/vbaProject.bin”
$a1 at 0 and $a2
The word document has a very low detection rate (4/56) and can be found here: https://www.virustotal.com/en/file/a8ee9b6f3dfd02957d2f9f8abada269cbf7257a0d5745f2bae63c2a6892b83c5/analysis/