It’s Gozi time! And Ursnif time! One of the two. Or both? Either way, here’s the .doc in any.run. It originally came in an attached .zip file with a password of ‘777’. (As an aside, if 666 is the number of the beast, then 777 must be the neighbor of the beast).
For the impatient ones out there, here’s the dropped file.
PART 1: MICROSOFT DOCUMENT
Using OfficeMalScanner, five macro files are dumped. They are…
I don’t write in visual basic, vb scripting, vba whatever. I can read it, but I can’t write it. This is just my way of saying that I may not use the right words to explain things (mea culpa!). Either way, ThisDocument shows us where the macro starts with Sub Document_Open(). Not much happens here except that when the script reaches main, we jump to awBR7S1cN.
Macro awBR7S1cN steps through quite a bit of nonsense before it gets to line 46. This line contains a function called aQGWKsE that is being fed a very long string. Long strings are always interesting things to which we should pay attention.
We can find function aQGWKsE in macro a9iAyP. This is the deobfuscation function for that long string.
Pretty sure it works thusly:
70: Get length of string, increment the counter by 2 71: Mid$ -> Grab two characters of string; Val("&H" -> Treat numbers as hexadecimal; Chr$ -> convert hex to ASCII. 72: Toss that variable at the end of aN13XBjP Go back to top of loop, grab the next two numbers, convert to hex, convert to ASCII...
Therefore the long string above becomes…
c:\Windows\System32\wbem\wmic process list /format:"a18DT.xsl"
It turns out that this is going to run ‘wmic process list’ in order to dump all running process, but output it in a format called “A18DT.xsl”? That’s not normal. But onward with the script.
We now jump back to macro awBR7S1cN. Line 52 calls up a new function called aGd1Xu, which is fed “a18DT.xsl” and aQGWKsE again. Looks like this is going to deobfuscate some more text.
The information in a3gt4mDrq.azfvPRgFr.Text can be found if you open up Microsoft Visual Basic for Applications and look at the project forms. Double-click on the form and you see all of the information getting called up here.
This is a much longer string than before. This gets run through function aQGWKse and decodes to this:
<?xml version='1.0'?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://google.com/names" ...
Looks like an .xml document? Later in macro a9iAyP, we see a file named a18DT.xsl get created and filled with the xml information we see above.
Line 98 creates a new WshShell, and later that calls wmic to start up the .xsl document that was dropped.
PART 2: a18DT.xsl
CyberChef to the rescue! Here’s the output below:
Line 20: http://wlibby71e.com/qtra/ttqr.php?l=spxo7.j12 Line 21: wscript.shell Line 22: scripting.filesystemobject Line 23: msxml2.xmlhttp Line 24: savetofile Line 25: run Line 26: deletefile Line 27: avEjrNV.exe
I’m not going to go into any more depth in that script, but looks like it’s going to download (line 20) a file (line 27), and then probably run it or something. You know, like malicious things typically do.
Thanks for reading!