1. I downloaded OfficeMalScanner from http://www.reconstructer.org/code.html and placed it in the same directory as the Word document. OfficeMalScanner could be placed in a separate directory.
2. Ran OfficeMalScanner against the Macro:
3. Then used the "inflate" command to extract the contents of the file:
4. I then moved the location of the decompressed files to the location of where I am working.
5. I ran the scanner on the first binary in the word/vbaProject.bin file and it extracted the contents of the macro:
6. With the extracted macro lets take a look at the first few lines of it to find Indicators of Compromise (IOC)s:
Looking at the first part of the macro that was extracted we can see a filename that we can look for "updater.exe" in the directory "C:\Users\<Username>\AppData\Local\Temp" unless it does not exist and then place it in "C:\Users\<Username>\AppData\" as the file "ntuserssc.exe".
7. Looking at more of the macro:
We notice that the fso or the File System Object is inside of an OLE Formatted Object. Also the size of the object is comparable to SS or 168,448 bytes.
8. Going back to the files that were extracted let's find the file that is larger than 168k in bytes:
Found that the oleObject1.bin file is slightly larger than the 168k we are looking for.
9. I used hexdump on the file to see if I could pull out any more indicators:
"C:\Art\Clients\Jag\updater.exe" and "C:\Users\Em\AppData\Local\Temp\updater.exe"
Then we see where the binary starts with the letters MZ.
10. Let's extract the binary from the file for further analysis using foremost.
11. Uploading this file to VirusTotal returned the following results at the following page if you are interested:
12. I started looking at the information provided by the anti-viruses about this malware. The following from ESET was close to the assessment of what I am seeing so far with comparing what it found to the strings in the binary:
Symantec calls it a Remote Access Trojan of (RAT):
13. I then uploaded it to a binary analysis service that I like to use called Anubis:
In the assessment it showed again some of the commands found in the ESET assessment. However throughout these assessments I still do not see any network indicators.
14.Now to run the binary on a Windows 7 SP1 computer it connects out to the following locations through a TLS connection:
15. The program adds persistence to the computer by adding a run key:
16. The binary starts out with the name of updater.exe or ntuserssc.exe and then goes through a random name then ending up with the name of winlogin.exe. Notice that the program is also called winlogin.exe imitating the winlogon.exe process: