How does a malicious attacker embed malware in a document and fool a victim to infect their PC? A short Basic Static Analysis

Ben Lee
5 min readOct 24, 2021

--

A malicious user can embed malware in a document, using social engineering to make a target infect their PC via a macro/powershell script to give full access to a computer to an attacker.

Microsoft Word/Excel are used commonly among attackers as macros can be easily used which are additional code to provide additional features.

These Macros can execute files and can be malicious. Attackers can use droppers to download more parts of malware through these macros. As a result, macros embedded within documents are the most common ways of attacking organisations alongside spear phishing.

Many Microsoft products also use powershell, a language to give more resources to a machine, which make additional functions for attacker’s to elevate privileges within a machine much easier.

An attacker must make sure that the victim ‘enables content’ to run the obfuscated script/code within the document for malicious scripts to activate by luring the victim into a false sense of security.

Once code is executed, commands can be sent back to an attacker’s C&C (Command and Control Centre) for further commands to be established where they can have full access to the infected device.

An innocent example of a malicious document asking a user to enable content for more features

In the real world, APT’s or advanced persistent threats such as Carbanak, disguise malicious code within documents via targeted spear phishing campaigns. With the documents disguised similar to a financial invoice or a resume within an innocent email, employees targeted by malicious threat actors are subjugated to social engineering with a convincing message for a user to download and open the malicious document. Once macros are enabled when ‘enable content’ is enabled or by other similar means, the attacker is able to control the infected device.

Example of a Carbanak Phishing Email

This blog, will go over a real FIN7 spearfishing document with a macro to see how it is utilised in the real world.

We will be going through a basic static analysis of the malicious macro code obfuscated within the document through the tool ‘OfficeMalScanner’.

OfficeMalScanner

OfficeMalScanner: A tool that can be used for analysing malware, to detect and decode macros found in .doc or .docx files

We can see the various options OfficeMalScanner allows us to do through the help page

Help page

From our selected FIN7 sample and analysing it through the ‘info’ command in OfficeMalScanner, we can get something like this:

File with macro decoded is saved in C:\Samples\Module01-Fin7\OfficeMalScanner

As seen in the diagram above some macros were found. We can open the folder C:\Samples\Module01-FIN7\OfficeMalScanner and open the file FIN7_CARBANAK_MALICIOUS_DOC.BIN-MACROS with Notepad++ to analyse if such macros are malicious. We can change the language to Visual Basic in Notepad++ for more information.

Macro code from OfficeMalScanner which we will now analyse

Looking at the macro code from Officemalscanner, we can deduce some of the obfuscated macro intentions within the document:

  1. Ortutev — Creates a filesystemobject
  2. Xotso — Tries to getspecialFolder within a path
  3. Ini.daphsarc\ — anything with ‘\’ seems to be a path. If you reverse daphsarc you will get crashpad which is a file name
  4. StrReverse may also mean stringreverse so it may reverse the string crashpad.ini
  5. GetSpecialFolder — Special Folder could be a system path, temp path, application path. Most malicious files are dropped in temp/application path. We can search more on what this string means via google. Link: https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/getspecialfolder-method
Official Microsoft Help Page — 2 in .GetSpecialFolder is Temporary Folder

We can see from the code that it gets (2) which is in this case TemporaryFolder. %tmp%\crashpad.ini

From analysing the line below, OpenTextFile could be opening and executing contents in crashpad.ini

Set anzes - Opens text file ortutev, and something is saved within anzes. Anzes writes line and closes.

In the line ‘vbssabahe = UserForm1.Textbox1.Text’ above, textbox is in visual basic. Something inside the document that the user fills or is already filled with data. So, the attacker is usinig vbssbahe to use this to write lines to temp/crashpad.ini roughly.

A closeup of the named macro script called ‘ript.exe’

Ript.exe — Is very close to script.exe but you can understand the common similarity

Dsicqodno seems to try to connect all obfuscated terms.

What does it look like:

Iqenw — c → & “m” → agowazg — d.exe /c wsc → qzygeska — ript.exe //b /e:jsc → xtuzsegu (ript) → iqoda — (%tmp%\crashpad.ini)

When putting the obfuscated code together we get:

cmd.exe /c wscript.exe //b /e:jscript %tmp%\crashpad.ini

Shell discqodno, False MsgBox ‘Decryption Error’ — If shell could not execute (cmd.exe /c wscript.exe //b /e:jscript %tmp%\crashpad.ini), then display a message error that it could not be decrypted! Shell executes/runs/invokes something like a function.

In summary, to make things look easier i have provided a picture of our basic static analysis of the FIN7 document below:

In conclusion, in our macro analysis, it looks like the attacker takes some text out of document, saves it to a file called ‘crashpad.ini’ and executes the text in the file maliciously!

We can now see how obfuscated malicious code from a macro in a word document works, and that the sample that we analysed is most likely malicious. More analysis may be done to look at the malware’s functions as we only did some basic static analysis.

I hope you enjoyed this short blog post, more analysis blogs will hopefully come soon!

--

--

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.