I received another malicious Word document: with VBA macros and string obfuscation, launching a PowerShell downloader. As classic as they come.
The VBA code is not too long, and the obfuscation is not that hard. It makes a good example for static analysis.
I start the analysis with my tool oledump.py, this will give me an overview of the streams (including VBA macro streams) contained in the document:
These numbers are mostly different. Function besb takes the argument (a number), divides it by 23 and multiplies it with 1. Then it converts the obtained number to a character (chr function), and concatenates it into variable ahiv.
With this information, I know that the numbers represent a command and that I can obtain that command by dividing each number by 23 and then converting it to a character. Typically, one would write a small custom script to do this, but as I often have to do such conversions, I made my own tool to help with this: numbers-to-string.py.
Numbers-to-string.py takes text as input, extracts the numbers it finds on each line (provided there are at least 3 numbers per line), transforms the numbers according to a given formula, and then converts them to a string.
I will use this to decode the command. First I select all VBA source code lines with function besb using grep. Since identifiers in VBA are not case-sensitive, I use option -i, just in case the malware author was not consistent in his case use for function name besb.
My final step is to use option -j to join all lines together:
Like I said: a classic example.
Yet, there is something unusual about this document. To be continued ...
Dec 9th 2019
2 months ago