Phishing Excel Embedded Malware

Malware Details

---

Name - sheetsForFinancial.xlsm Type - Macro

Hashes

---

MD5-

Command Used -

	md5sum.exe sheetsForFinancial.xlsm

Output -

4dda84ea2e71997f864666220b031dd6

Sha256 -

Command Used -

	sha256.exe sheetsForFinancial.xlsm

Output -

16e6489b81a41f0bfc2bc9bb0165b624c51ed4fecf6438c73a5ee6501caf34d

Virustotal results -

No results found

Theory

---

Macro malware

1. How macro malware works

2. How to protect against macro malware

Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device.

How macro malware works

Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.

Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened.

We've seen macro malware download threats from the following families:

• Ransom:MSIL/Swappa

• Ransom:Win32/Teerac

• TrojanDownloader:Win32/Chanitor

• TrojanSpy:Win32/Ursnif

• Win32/Fynloski

• Worm:Win32/Gamarue

How to protect against macro malware

• Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:

  • Enable or disable macros in Office documents

• Don't open suspicious emails or suspicious attachments.

• Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.

• Enterprises can prevent macro malware from running executable content using ASR rules

Analysis

---

Given the scope and the lab environment, dynamic analysis can't be done due to lack of microsoft office. Thus only static analysis will be done.

Basic static analysis -

First thing that is noticed is that the excel file has a .xlsm extension. This implies that it is a macro enabled excel sheet which inherently makes it very suspicious.

Transferring the malicious excel file to remnux.

1. Type updog -p 80 on the file location

2. Type wget <file location> on remnux box

We need to remember that an excel sheet isn't a single file but a zipped file. So we can look into the zip file in remnux using

	unzip <excel file name>

We see a .bin file in the contents.

.bin extension means it got raw bytes in it and it has Visual basic in it. So we take a further look into this file.

We use oledump.py in order to get more information on the file.

Command used -

	oledump.py <file name>

	oledump.py -s 3 -S <file name>

Potential malicious activity detected.

	oledump.py -s 3 --vbadecompresscorrupt <file name>

We now have the full VBA macro.

Conclusion

---

When this macro runs, it downloads a .crt file and saves it as enc.crt .Then is uses the LOLBIN certutil to decode the file and run a powershell script.

This procedure is similar for other office files.

For .docx files, unzip them and check _rels_ folder files and analyse them.