Malicious Word Macro Caught Using Sneaky Trick

There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.

Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”

2015-03-06_01

Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”

2015-03-06_02

Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.

2015-03-06_03

Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.

2015-03-06_04

Let’s try it with OleDump. It nicely shows the objects inside of the document.

2015-03-06_05

We can also dump the ‘ThisDocument’ object.

2015-03-06_06

Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.

2015-03-06_07

A quarter ways in, there’s some URLs to take note of.

2015-03-06_08

Basically the VBA macro builds a VBS script and writes it out.

2015-03-06_09

Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.

2015-03-06_10

Let me download the file…

2015-03-06_11

And see what VirusTotal has to say…

2015-03-06_12

Regarding that image download, here’s what it is:

2015-03-06_13

The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.

2015-03-06_14

Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.

2015-03-06_15

The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.

2015-03-06_16

The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.

2015-03-06_17

Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.

2015-03-06_18

Sneaky indeed.

This entry was posted in Malicious Email, Malscript and tagged , , , , , , . Bookmark the permalink.