Friday, August 7, 2015

Using to pull Malicious Macro's out of Microsoft Word Doc

For the last few months I have been bombarded with Microsoft Word Documents that contain malicious macros.  I wanted to take a couple of minutes and document the use of to pull out the malicious macro.  I mainly tear these apart to identify the various indicators of compromise that can be harvested.

Filename: 7ZJ7.doc
File Size: 204,800
SHA1: 086ef96c939968e9b149dab81350a2732b2fdb8f
MD5:  55687ddebba3665dd44eb7be08dc0c7b
Virus Total Detection Ratio: 19/54
Virus Total Link 

The tool was created by Didier Stevens and he has maintained the tool as this type of malware has evolved.  To read about the command-line options that are available you can run ./ -h.  To begin to initialize the doc file you run "./ 7ZJ7.doc".

We can see from the output that there are a total of 17 objects that can be selected.  I am going to hone in on objects 8-10.

I am going to select object 8 and because it is compressed I am going to use another option to decompress it as shown below:

Then we can do the same thing to extract the macros from objects 9 and 10.  After taking the macros and evaluating them I noticed that it would go out to the following URL's to download files:

hxxp://   (
hxxp://     (

The rara.txt file contains the following link:

I was able to find the kslx.exe file on which may or may not be the file being requested.

Then by manipulating the macro you can see the following which are the contents of the 7777.txt file broken up into a vbs script then a bat file.

The above vbs script downloads the rara.txt file which is not found as shown above however it is found on the other URL referenced above.  Then the file is written to the filesystem as 9.exe.  Then the following bat file is executed:

Then the batch file is opened and executed to run the vbs script with cscript and then deletes the vbs file and the bat file that is left behind.  I will not go any further with the evaluation of the 9.exe.  However, below are the IP Addresses that were used to remotely control the computer: (Most of the traffic)

Filename: kslx.exe
Size: 194,253
SHA1 - c943cccbeb257d8be5ce82d379fbf5e5e0753e2d
MD5 - 23d73f4bbcdd13ceaa9db30056d5c5a2

I thought I would also utilize a tool published by Corelan called PEFrame located here.  The output of the tool is below:

$peframe kslx.exe 

Short information
File Name          kslx.exe
File Size          194253 byte
Compile Time       2015-08-04 06:42:54
DLL                False
Sections           4
Hash MD5           23d73f4bbcdd13ceaa9db30056d5c5a2
Hash SHA-1         c943cccbeb257d8be5ce82d379fbf5e5e0753e2d
Imphash            7309645e4461d38509039c98e4c661ec
Detected           Packer, Anti VM
Directory          Import, Debug

Packer matched [1]
Packer             Microsoft Visual C++ 8.0

Anti VM Trick discovered [1]
Trick              VMCheck.dll

Suspicious API discovered [4]
Function           ExitProcess
Function           GetModuleHandleA
Function           GetProcAddress
Function           GetStartupInfoA

File name discovered [6]
Library            GDI32.dll
Library            KERNEL32.dll
Library            SHLWAPI.dll
Library            WINMM.dll
Library            mscms.dll
Database           rect1.pdb

In the output it can be observed that it has an anti-vm mechanism and the trick that is discovered.  I will need to look into this at another time.

No comments:

Post a Comment

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...