Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you'll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.
Information
Category Name: XLM Macros
Files: c38-xlm-macros.zip 174 KB
— sample1-fb5ed444ddc37d748639f624397cff2a.bin – 95KB
— sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin 16KB
My Recommendations
This is my personal preference. I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/xlmmacros && cd Documents/CyberDefenders/xlmmacros
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c38-xlm-macros.zipSHA1SUM: 35fb4497de1633d6887fd1453ee1426ca627eeec
Walkthrough
1. What is the document decryption password? (Sample 1)
Using msoffcrypto-crack.py;
msoffcrypto-crack.py sample1-fb5ed444ddc37d748639f624397cff2a.bin
#Returns Password found: VelvetSweatshop
To decrypt it, we can use msoffcrypto-tool:
msoffcrypto-tool -p VelvetSweatshop sample1-fb5ed444ddc37d748639f624397cff2a.bin sample1.bin
Answer: VelvetSweatshop
2. This document contains six hidden sheets. What are their names? (Sample 1)
Provide the value of the one starting with S.
Using Exiftool:
exiftool sample1.bin
The default names for Sheets is Sheet[sheetnumber]. In this case, there are three Sheets called Sheet1, Sheet 2, Sheet 3 and then SOCWNEScLLxkLhtJp, OHqYbvYcqmWjJJjsF, Macro2, Macro3, Macro4, Macro5. We can assume these are the six hidden sheets. The only one starting with S is SOCWNEScLLxkLhtJp.
Answer: SOCWNEScLLxkLhtJp
3. What URL is the malware using to download the next stage? (Sample 1)
Only include the second-level and top-level domain. For example, xyz.com.
Using olevba:
olevba sample1.bin
The URLs returned of the VBA code have the same domain name- rilaer.
Answer: http[://]rilaer[.]com
4. What malware family was this document attempting to drop? (Sample 1)
Looking for the Executable name in Google, the dropped file is in Virus Total . The Malware is a Trojan-Drixed.
Answer: Drixed
5. This document has a very hidden sheet. What is the name of this sheet? (Sample 2)
Exiftool shows only on sheet name, Sheet 1, which is not hidden. With olevba, we can see where the Macro is executed from:
olevba sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
The Sheet CSHykdYHvi is not displayed in exiftool, and is where the VBA Macro is executed from.
Answer: CSHykdYHvi
6. This document uses reg.exe. What registry key is it checking? (Sample 2)
Using Olevba:
olevba sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
The Registry entry its looking for is HKCU\Software\Microsoft\Office\(version)\Excel\Security. The actual key it’s looking for is VBAWarnings:
Answer: VBAWarnings
7. From the use of reg.exe, what value of the assessed key indicates a sandbox environment? (Sample 2)
When the key is set to 1, all VBA Macros are enabled, this value is usually set in sandbox environment. Source
Answer: 1
8. This document performs several additional anti-analysis checks.
What Excel 4 macro function does it use? (Sample 2)
From the output of olevba, we can see that the Macro checks the workspace with the function ‘GET.WORKSPACE’ several times:
All these checks are used by the malware to see if its running in a sand boxed environment. This is what the highlighted keys check:
GET.WORKSPACE(2): Version of Excel Running
GET.WORKSPACE(13): Workspace Width
GET.WORKSPACE(14): Workspace Height
GET.WORKSPACE(19): If a mouse is present
GET.WORKSPACE(42):If Machine can play Sound
Answer: get.workspace
9. This document checks for the name of the environment in which Excel is running.
What value is it using to compare? (Sample 2)
To check the environment in which Excel is running, the document searches for ‘Windows’ in the get.workspace command:
Answer: Windows
10. What type of payload is downloaded? (Sample 2)
In the output of olevba, we can see that ‘rundll32.exe’ is used to run the file, so the payload must be a DLL:
Answer: DLL
11. What URL does the malware download the payload from? (Sample 2)
In the output of olevba, the command ‘URLDownladToFile’ points to an URL from which the file is downloaded:
Answer: https[://]ethelenecrace[.]xyz/fbb3
12. What is the filename that the payload is saved as? (Sample 2)
The output of olevba shows that the file is saved as a html file:
Answer: bmjn5ef.html
13. How is the payload executed? For example, mshta.exe. (Sample 2)
The payload is executed with ‘rundll32.exe’:
Answer: rundll32.exe
14. What was the malware family? (Sample 2)
We can look for the file’s hash in VirusTotal:
md5sum sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
#returns b5d469a07709b5ca6fee934b1e5e8e38
The file is mostly flagged as a Trojan Downloader. Trend Micro flags the actual Trojan family:
Answer: zloader
TLDR
– This is a classic Macro MalDo that downloads a payload onto the victim’s machine.
– I used olevba, but perhaps more xlm-focused tools would have been more helpful.
