Extracting and decoding malicious macros

The sample used here is from the video from  Karsten Hahn @struppigel .

If you have not seen any of them before I would highly recommend checking them out.

The video can be found here https://youtu.be/SCJVW1E8dFA

The Sample can Be found here at Hybird-Analysis if you want to follow along.

In the Video he shows a base 64 string that he extracts from the document using a Hex Editor like this.

PSFromHex

After watching the video and locating the file I wanted to take a deeper look at it seeing how my methods would work at decoding this file.

I recently decided to try and  use “Apache OpenOffice”  to do the macro extraction from the documents and it has worked.

When We first open the document we see this.

Warning

At least the default is to pop up a warning. After clicking “OK” we see.

Document-1

That is actually a picture on the document not a popup window.

When we locate the macro we see this.

OpendMacro

Closer look in Notepad++

Macro-1

That is kind of difficult to sort thru so lets clear out everything that does not appear to do anything. We end up with this.

CleanedMacro

That sure did cut a lot of junk out of the way.

So it looks like it is getting the value of the documents comments property.

Comments

As you can see here the comments section is where the Base64 string gets extracted from.

And the full Base64 string.

FullB64

Most of the “Red Team Tools” use UTF-16 encoding. So we will try Base64 decoding using UTF-16 Encoding.

After decoding I get this.

Bas64DecodeTool

A closer look.

B64Decoded

So what is this thing doing ? If we get a closer look at the end we se this.

end

Normally what I see is hex separated some type of fill in delimiter/ fill-in chars that gets removed.

Here we have Decimal char codes using several different split chars  to turn the Char codes into normal characters . This is the first time I’ve seen this done so another new tool to quickly overcome this type of encoding.

NewDecodeTool

All this new tool does is a string replacement for the various split chars used and replaces them all with just one, in this case is a comma. Once you have a common split character then you can splint on that char and loop thru and decode the the char code and return the string output.

We could have done a string replace 1 char at a time and ended up with something like this.

DelimReplace

After that we still have to decode the Decimal Char Codes.

Here is a closer look at the formatted script that was decoded.

FormatedScript

This script will reach out to the sites to download the file and save it with a random name.

I was not able to download the file directly today after extracting the URL’s.

So we know it was a downloader but we don’t know what it would have downloaded if it had succeeded.

This had peeked my interest because of the multiple split chars used in between char codes and the fact that they did not use the Macro to store the base 64 string but the Documents Comment section to hide it.

That’s it for this one I hope you learned something as well as I did.

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, security and tagged , , . Bookmark the permalink.