BlackEnergy .XLS Dropper
The malware used in the recent Ukranian cyber attack was (allegedly) delivered via a malicious spreadsheet. I analyzed this maldoc (97b7577d13cf5e3bf39cbe6d3f0a7732) and it's very simple: the macro runs automatically, writes an exe to disk (embedded as an array of bytes) and executes it. There's no obfuscation of the VBA code or encoding of the PE file.
If you want to practice the analysis of such documents, I have something for you: I produced a spreadsheet that uses exactly the same method to embed a PE file, but it has no code to write to disk neither to run the payload. And the VBA code doesn't run automatically. And in stead of a PE file, I embedded a JPEG file. So this example is very safe. You can download the example here.
In case you have no idea how to get started, I have a video for you where I show my analysis method.
You can find the tools I used on my blog.
But there are many ways to analyze this example. Please post your method in a comment. And also, let me know what you think of the picture.
Update: according to a Twitter exchange, the .XLS maldoc is from an incident involving a power company (August), and the more recent incident is with another maldoc. Tweets here, here, here, here.
Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.
Comments
This is now ITW with a mass malspam of malicious word docs today containing a variation of the black energy dropper delivering a jpg with the embedded malware
Anonymous
Jan 12th 2016
9 years ago
This is now ITW with a mass malspam of malicious word docs today containing a variation of the black energy dropper delivering a jpg with the embedded malware
Anonymous
Jan 12th 2016
9 years ago
$ ./oledump.py db.xls -s7 -v > s7_1macro
Get rid of all the extra cruft so all we have left are the decimal numbers
$ cat s7_1macro | egrep -o "Array\(.+" | cut -d\( -f2 | sed "s/)//" | ./numbers-to-hex.py > s7_2hex_ascii
Remove newlines and spaces
$ cat s7_2hex_ascii | tr -d "\n| " | xxd -r -p > s7_3hex.bin
file s7_3hex.bin
s7_3hex.bin: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 640x480, frames 3
$ jp2a s7_3hex.bin --size=50x25
Oxlc,,,'.....:OOOkxc,;;::::::,,,,;,''lxkkkOKKd::;;
kol:;,'......d00Odlloddddddooc:cccc:;;cdkO000Oo:::
kl:;,'.......dOkd:kkkkkxdxkxdddooddool:;:dkO00Oc:;
kl;''........l0xclOO000OOkOkkkkOkkkkkOdl;;okO00d:;
k:,'.........,0dlxO000000OOOOOOkdkOOOOkxl;lkO00x;'
k;'...........xxldO00000000OOOOkkdx0O0Oxdc;dO0k:;,
x,'...........,xcokO0OO0000OOOOOkOkk000xdocoOkc;;'
x'''...........;ooxOOOOO0OOOkkxxkOOOOOOdddodOo;;,,
x''.'..........:kdxxddooooxdxddooxxxxkkkdxxxOl;,,,
x,'''.......'..,xxkdlc;;;coxo:::;;,:ldxOkkxxko;,,,
x,''''''..''',',ckOxkxooddkOOdlollloxxk0Oxdxkc:;;,
x,,,,,,''.''',',;d0OkOkkkOO00kdoodxxk000Oxdkc:;;,,
xddxxxxdddddxxxxkkOOOOOOOO0000kxkkxxkkkOkk0xoooolc
k000KKK00K00KKKK00OkOOOkkkO0OO0xxxddddxkxk0000000O
OK00KKKKKKKK000000OOkkkxxkdkdloxxdddxxxOOOO00000K0
O000KKKKKKKKK0000000kkkkkkkxdddkxdodxkk000000000K0
OK000KKKKKK00000000OOOkkOkdodcoxkxdxkkOOK000000KK0
O00KKK000KKKKK000000OOkxc;;;,,,;clxxkO0KK0000KKKKK
OKKKKKKKKKKKKKKKKKK00Okxxdlcclloxdxxxk0KK0KKKKKKXK
OKKKKKKKKKKKKKKKKKKK0Okkxxxdddddxxxxxk0KKKKKKKKKKK
0KKKKK0K00KKKKKKKKKK00Okkkkxdxdddxxdxk0KKKKKKKKKKK
KKKKK0000OO0KKKKKKK000OkkxdddoooooddxkO0KKKO00OOK0
kKKKK00KKOkOKKKKKK00O0OkxxddlllllodxkOO0000O0K000O
k0KK000K0kk0000000OOOOOxdxxdollcloodxkO00O0000Oxxk
dkkkkkOOOkkkkkkkxxxxxxxdoolldolllooodxxxxxkkkxlldd
Anonymous
Jan 24th 2016
8 years ago
Anonymous
Jan 24th 2016
8 years ago
"It is by will alone I set my mind in motion. It is by the juice of sapho that thoughts acquire speed, the lips acquire stains, the stains become a warning. It is by will alone I set my mind in motion."
Anonymous
Jan 24th 2016
8 years ago