How does a malicious attacker embed malware in a document and fool a victim to infect their PC? A short Basic Static Analysis

An innocent example of a malicious document asking a user to enable content for more features
Example of a Carbanak Phishing Email

OfficeMalScanner

OfficeMalScanner: A tool that can be used for analysing malware, to detect and decode macros found in .doc or .docx files
Help page
File with macro decoded is saved in C:\Samples\Module01-Fin7\OfficeMalScanner
Macro code from OfficeMalScanner which we will now analyse
  1. Ortutev — Creates a filesystemobject
  2. Xotso — Tries to getspecialFolder within a path
  3. Ini.daphsarc\ — anything with ‘\’ seems to be a path. If you reverse daphsarc you will get crashpad which is a file name
  4. StrReverse may also mean stringreverse so it may reverse the string crashpad.ini
  5. GetSpecialFolder — Special Folder could be a system path, temp path, application path. Most malicious files are dropped in temp/application path. We can search more on what this string means via google. Link: https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/getspecialfolder-method
Official Microsoft Help Page — 2 in .GetSpecialFolder is Temporary Folder
A closeup of the named macro script called ‘ript.exe’

When putting the obfuscated code together we get:

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

FilDA Bug Bounty Programme

💰GET 25,000,000 $FLOKI ($50) ⚡Distribution: Within 1 - 3 days ⚡Network: Binance Smart Chain…

Uranium : post-mortem, v2, compensations

Web3 Wallets Have Serious Privacy and Security Flaws

12 web security tips from experts for 2018

{UPDATE} Animal Link Hack Free Resources Generator

Tokenlon Launches $1,000,000 Bounty

Senior Forensics Analyst _____ @Remote

Senior Forensics Analyst _____ @Remote

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

CS373 Spring 2022: Daniel Dominguez Arroyo

Celsius Network money laundering

Codeforces 1270 G

Daily links of Fernand0 — Enlaces diarios de Fernand0 — Issue #345