During the past few weeks, I received several emails asking how to dissect Office Payloads. While I was thinking about how to answer to such questions I received a MalSpam with a Microsoft Office document attached by sheer coincidence, so I decided to write a little bit on it. This is not going to be a full path analysis so If you are interested in a more complete one, including dissection steps on final payloads, please refer to some of my previous analysis (HERE
Attached to a nice crafted MalSpam email hitting my inbox a malicious Office Document having a pretty neat “autoopen()” Macro. I am going to call this stage: stage1. The “autoopen()” trick is a pretty known one if you are a Dropper writer. Indeed once the user opens the document, Microsoft Office runs that function as the first one, as well as it will run the “onclose()” function as the last one, in case of implementation. Both of those tricks are quite well-known in the malware industry. The following image shows the autopen() content.
The “autoopen()” function implements a “Resume Error” obfuscation technique. In other words when the running script hits any errors it resumes from next line of code without interrupting the execution flow. In such a way the attacker could exploits runtime errors to loop into functions. By switching between conditional jumps to code lines, the script builds-up a second stage invoked by powershell.exe. In order to follow the required steps – before getting into powershell encoded payload – (I will call it: stage2) the native Microsoft Office debugger would definitely help you. I would suggest to use conditional breakpoints (natively available on Office Macro editor) to “break if value change” on principal and non-jumping code line. The following image shows the decoded stage1 and welcomes the encoded representation of stage2.
In this case I had to manipulate a little bit the original code in order to break atomic commands which would directly launch the stage2 without getting an easy and understandable string visualisation. Therefore you might see a,b,c,d and E variables which are not native on that sample and artificially introduced into that code to get the highlighted clear text value (blue highlight in the image). “Powershell -e” executes a base64 string representing the code to be run on the victim machine. We need to carve into such a string. In order to start a string manipulation I suggest CyberCheff, one of my favorite string manipulation tool ever ! On the top right of the following image, the stage1 extracted code is placed. On the Left side (on green) the manipulation function adopted to deobfuscate the stage2 payload.
The first manipulation step is to decode the string from it encoding representation on Base64. The attacker used a wide range of non alphabet chars which make very difficult to read the decoded payload. So you might ask to cybercheff to remove non-alphabet characters and to remove null bytes which avoid the correct parser interpretation (the “null byte remotion is a second step on the cybercheff decoding chain). Once you removed useless chars you might observe that attacker used a more noisy characters. In this specific case we see the char ‘+’ that is abused on each line. A find and replace module helped me a lot (third step in cybercheff decoding chain). Finally the online tool gives a nice and quite smart tool called syntax highlighter which makes a smooth code ready to be read. You have it on the bottom right on the same image. Now you have the stage2 in plain text ready to be read and debugged if you wish. From here you might decide to extract the dropper websites and block them on your firewall/proxy/etc.. but if you want to debug it, Microsoft ISE is a great tool. The following images shows stage2 on Microsoft ISE.
A simple “foreach” loop is running through dropper websites waiting for the first response. Once a dropper website responds stage3 is downloaded and run. According to hash rate the dropped payload is a Emotet. The dropped Emotet used an opensource ofbuscation technique calle Movfuscator.
The M/o/Vfuscator (short ‘o’, sounds like “mobfuscator”) compiles programs into “mov” instructions, and only “mov” instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating.
Running the sample into a controlled environment and grabbing network communications is interesting to check connection patterns and eventually traffic contents. From the recorded traffic it’s possible to see the following patterns: a HTTP GET request with some encrypted information to download plugin/additional stages and finally a HTTP POST to send victim’s data directly on the “attacker side”. In the first case (HTTP GET) the Malware communicates to server through cookies, using a 6 digit numeric variable. The used variable holds a Base64 representation of encrypted data. On the second case (HTTP POST) the Malware communicates to the command and control using a Form variable. Even in this case the transmitted content is a Base64 representation of encrypted data. I will not get into dissecting stage3 and the following ones since my main topic is to answer to “how to deobfuscating office dropper”. If you are interested on follow a full detailed analysis path, please take a look to Yoroi’s Blog.
Further technical details, including indicators of compromise (IoCs) are reported in the original analysis published on Marco Ramilli’s blog:
About the author: Marco Ramilli, Founder of Yoroi
I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.
I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans
Edited by Pierluigi Paganini
(Security Affairs – Info Stealing, malware)