This sample comes from a Twitter discussion here and a second part of the thread here on April 22 2019.
This discussion was started by “My Online Security @dvk01uk “.
Although it appears to have a vba file in it it didn’t work in a few different sandboxes as mentioned by @dvk01uk.
Lets take a closer look at the sample found here on ANY.RUN @anyrun_app .
If we look at the document in a hex editor we can see that it starts with a “PK” so this is a ZIP File version and we can just decompress it and take a closer look.
After unzipping the document we see this folder layout.
Lets look at the word folder.
We can see here we do have a vbaProject.bin file. Lets look at that.
This is a OLE file so we can decompress this with 7Zip.
Lets take a closer look at Module1
If we scroll down to the bottom of this file we can see that it appears to be Zeroed out.
If we look at the “ThisDocument” we can see the “Attribut” string which tells us it contains compressed VBA Code.
If you don’t have that string in the file then it does not have compressed VBA Code in it.
So how does this work then.
If we go back to the Twitter discussion “Vess @VessOnSecurity” has a python tool called pcodedump to extract the “P-Code” from the document which can be found here .
This tool currently only requires the “Decalage @decalage2” oletools.
The command I ran was this.
“C:\Python27\python.exe” “C:\Users\Joe User\Desktop\pcodedmp\pcodedmp.py” “Opticsense New Order.doc”
In order to dump it to a file just add to the above command. “ > DumpedPcode.txt” or what ever name you want.
I have both versions of python installed on this vm so I have to use the full path to to it. I also discovered the hard way that you have to put it in double quotes in order for it to work.
Since I didn’t use the pip install for the pcodedump tool I just downloaded it and used the full path to the script I also put double quotes around that path. The final parameter was the file name in double quotes since it has a space in the name.
I just opened a cmd window in the folder where the document was and ran that command.
Here is what we see when we run the command and dump it to a file.
This is the part we are most interested in at the moment.
If you can zoom in on that you see a bunch of “Line #:” so lets clean those out and format this a bit better to be readable.
Here we find the AutoOpen Function.
The “Ld F_WH” appears to load the function above.
Although it is not real clear looking at this for the first time we can take an educated guess on what the names mean like “st” I would assume it means string, “ld” would be load ?
So here is appears to take the string in “E_MO” and pass it to the function “B_RA” and when it returns it will set the value of “F_DC” as an object.
So what this does is take the string of numbers and uses 3 numbers at a time then subtracts 0x1A (26) from the value then converts that number to a Character.
So after decoding the first string we see.
So the object that gets passed is “Wscript.Shell”.
The rest of the longer strings appear to be junk code until you get down to here.
Here we see it is getting the string “SP_LL” from the active document. When we search for it we find it in the “settings.xml” .
So now we need to take this string and run it thru the same B_RA function and see what is output. It will then get executed after passing back to the AutoOpen function.
If we go back to the AutoOpen function and Continue on now that the strings are decoded.
It will use WMI’s Win32_Process to load “Cmd.exe” and the rest of the script.
Lets take a closer look at the decoded powershell script.
If we look at the highlighted area in the screenshot we can see above it that there were 3 variables “set”. This will rebuild the string “powershell”.
As we can see here this just downloads an exe from a site and runs it.
Anyone interested in getting a better understanding of the P-Code I would suggest looking at the source code of pcodedump and this file to get better handle on how it works.
I would have liked to went in deeper on how the P-Code works from the byte level but I’m still learning that myself.
That’s it for this one.
Here are the full list of resources and a few extra not covered in the post.
Twitter threads for this sample:
Main thread Here , Second thread Here , Third Thread Here
Didier Stevens @DidierStevens ISC Diarys :
Here and Here
Vess @VessOnSecurity pcodedump tool”
Here
Decalage @decalage2” oletools :
Here
Derbycon 2018 talk “VBA Stomping – Advanced Malware Techniques”
Here
