How does a malicious attacker embed malware in a document and fool a victim to infect their PC? A short Basic Static Analysis

An innocent example of a malicious document asking a user to enable content for more features
Example of a Carbanak Phishing Email

OfficeMalScanner

OfficeMalScanner: A tool that can be used for analysing malware, to detect and decode macros found in .doc or .docx files
Help page
File with macro decoded is saved in C:\Samples\Module01-Fin7\OfficeMalScanner
Macro code from OfficeMalScanner which we will now analyse
  1. Ortutev — Creates a filesystemobject
  2. Xotso — Tries to getspecialFolder within a path
  3. Ini.daphsarc\ — anything with ‘\’ seems to be a path. If you reverse daphsarc you will get crashpad which is a file name
  4. StrReverse may also mean stringreverse so it may reverse the string crashpad.ini
  5. GetSpecialFolder — Special Folder could be a system path, temp path, application path. Most malicious files are dropped in temp/application path. We can search more on what this string means via google. Link: https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/getspecialfolder-method
Official Microsoft Help Page — 2 in .GetSpecialFolder is Temporary Folder
A closeup of the named macro script called ‘ript.exe’

When putting the obfuscated code together we get:

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Email Security Flaws That May Leave Your Business Vulnerable to Attacks

🔥🔥🔥ATTENTION, EDUFEX COMMUNITY!!!

Small-Business Cybersecurity is Twice as Nice as Pumpkin Spice

FilDA-ESC: Remediation and Re-launch

Key takeaways on the future of identity and security at CogX2020

Advancing email security for Gmail and beyond with BIMI

GainPool announces additional Private Sale round, $GAIN is coming to BrandPad

How to Hard Reset Xiaomi Redmi 4A

Hard Reset Xiaomi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

Book Review of The Psychology of Money

Lunge Climate AI Platform — Deploying Evidence-driven Actionable Wisdom to h

Marketing decoded in simple terms.