Malicious Word Macro Caught Using Sneaky Trick

There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I'm not sure if this is an old trick. I just haven't seen this method used before and thought it was quite clever.

Here's the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, "Thank you for payment. Your attached. Thank you for your business - we appreciate it very much."

Opening the Word document, first thing you'll notice is the security warning and below it a bunch of garbled text. A message above it says, "If you document have incorrect encoding - enable macro."

Clicking on the "Enable Content" button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.

Using OfficeMalScanner, the macros, specifically the one called "ThisDocument" can be dumped to a file for analysis.

Let's try it with OleDump. It nicely shows the objects inside of the document.

We can also dump the 'ThisDocument' object.

Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.

A quarter ways in, there's some URLs to take note of.

Basically the VBA macro builds a VBS script and writes it out.

Interestingly, this VBS calls up a Powershell file. How vogue. It's now very clear what it's doing -- downloading and executing a file from Internet then downloading an image for statistics and cleaning up.

Let me download the file...

And see what VirusTotal has to say...

Regarding that image download, here's what it is:

The image's download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.

Going back to the macro, I wanted to find out how it "decrypted" the gibberish into text. Near the bottom, I see reference to "findText" and "secondText" followed by some clean-up code.

The findText subroutine shows that it looks for content between "<select></select>" tags then deletes it.

The secondText routine looks for "<inbox></inbox>" tags and changes the contents' font color to black.

Ah! It's not doing any decryption, it's just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.

Sneaky indeed.

Posted on: 03/06/2015