A look at Stomped VBA code and the P-Code in a Word Document

This sample comes from a Twitter discussion here and a second part of the thread here on April 22 2019.

This discussion was started by “My Online Security @dvk01uk “.

Although it appears to have a vba file in it it didn’t work in a few different sandboxes as mentioned by @dvk01uk.

Lets take a closer look at the sample found here on ANY.RUN @anyrun_app .

If we look at the document in a hex editor we can see that it starts with a “PK” so this is a ZIP File version and we can just decompress it and take a closer look.

DocHex

After unzipping the document we see this folder layout.

1

Lets look at the word folder.

2

We can see here we do have a vbaProject.bin file. Lets look at that.

3

This is a OLE file so we can decompress this with 7Zip.

3A

Lets take a closer look at Module1

4

If we scroll down to the bottom of this file we can see that it appears to be Zeroed out.

If we look at the “ThisDocument” we can see the “Attribut” string which tells us it contains compressed VBA Code.

5

If you don’t have that string in the file then it does not have compressed VBA Code in it.

So how does this work then.

If we go back to the Twitter discussion “Vess @VessOnSecurity” has a python tool called pcodedump to extract the “P-Code” from the document which can be found here .

This tool currently only requires the “Decalage @decalage2” oletools.

The command I ran was this.
“C:\Python27\python.exe” “C:\Users\Joe User\Desktop\pcodedmp\pcodedmp.py” “Opticsense New Order.doc”

In order to dump it to a file just add to the above command.  “ > DumpedPcode.txt” or what ever name you want.

I have both versions of python installed on this vm so I have to use the full path to to it. I also discovered the hard way that you have to put it in double quotes in order for it to work.

Since I didn’t use the pip install for the pcodedump tool I just downloaded it and used the full path to the script I also put double quotes around that path. The final parameter was the file name in double quotes since it has a space in the name.

I just opened a cmd window in the folder where the document was and ran that command.

Here is what we see when we run  the command and dump it to a file.

P-CodeDump

This is the part we are most interested in at the moment.

Pcode-2

If you can zoom in on that you see a bunch of “Line #:” so lets clean those out and format this a bit better to be readable.

Here we find the AutoOpen Function.

Autoopen

The “Ld F_WH” appears to load the function above.

Func1

Although it is not real clear looking at this for the first time we can take an educated guess on what the names mean like “st” I would assume it means string, “ld” would be load ?

So here is appears to take the string in “E_MO” and pass it to the function “B_RA” and when it returns it will set the value of “F_DC” as an object.

FuncB_ra

So what this does is take the string of numbers and uses 3 numbers at a time then subtracts 0x1A (26) from the value then converts that number to a Character.

So after decoding the first string we see.

E_MO-Decoded

So the object that gets passed is “Wscript.Shell”.

The rest of the longer strings appear to be junk code until you get down to here.

SecondString

Here we see it is getting the string “SP_LL” from the active document.  When we search for it we find it in the “settings.xml” .

SP_LL-1

So now we need to take this string and run it thru the same B_RA function and see what is output. It will then get executed after passing back to the AutoOpen function.

DecodedPSScript

If we go back to the AutoOpen function and Continue on now that the strings are decoded.

WinMgmt

It will use WMI’s Win32_Process to load “Cmd.exe” and the rest of the script.

Lets take a closer look at the decoded powershell script.

FormatPs

If we look at the highlighted area in the screenshot we can see above it that there were 3 variables “set”. This will rebuild the string “powershell”.

As we can see here this just downloads an exe from a site and runs it.

Anyone interested in getting a better understanding of the P-Code I would suggest looking at the source code of pcodedump and this file to get better handle on how it works.

I would have liked to went in deeper on how the P-Code works from the byte level but I’m still learning that myself.

That’s it for this one.

Here are the full list of resources and a few extra not covered in the post.

Twitter threads for this sample:
Main thread Here , Second thread Here , Third Thread Here

Didier Stevens @DidierStevens ISC Diarys :
Here and Here

Vess @VessOnSecurity pcodedump tool”
Here

Decalage @decalage2” oletools :
Here

Derbycon 2018 talk “VBA Stomping – Advanced Malware Techniques”
Here

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s