How does a malicious attacker embed malware in a document and fool a victim to infect their PC? A short Basic Static Analysis

An innocent example of a malicious document asking a user to enable content for more features
Example of a Carbanak Phishing Email

OfficeMalScanner

OfficeMalScanner: A tool that can be used for analysing malware, to detect and decode macros found in .doc or .docx files
Help page
File with macro decoded is saved in C:\Samples\Module01-Fin7\OfficeMalScanner
Macro code from OfficeMalScanner which we will now analyse
  1. Ortutev — Creates a filesystemobject
  2. Xotso — Tries to getspecialFolder within a path
  3. Ini.daphsarc\ — anything with ‘\’ seems to be a path. If you reverse daphsarc you will get crashpad which is a file name
  4. StrReverse may also mean stringreverse so it may reverse the string crashpad.ini
  5. GetSpecialFolder — Special Folder could be a system path, temp path, application path. Most malicious files are dropped in temp/application path. We can search more on what this string means via google. Link: https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/getspecialfolder-method
Official Microsoft Help Page — 2 in .GetSpecialFolder is Temporary Folder
A closeup of the named macro script called ‘ript.exe’

When putting the obfuscated code together we get:

cmd.exe /c wscript.exe //b /e:jscript %tmp%\crashpad.ini

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.