Vidar maldocs (11.6.2019) – Extracting the shellcode and finding the URL

We will be working off of this document today. It is another document that ends up downloading an executable that any.run identifies as vidar. But how do we get from the document to downloading the executable? Let’s find out.

After extracting the macros, we can see that they are very similar to the document we saw the other day. However, there is a significant difference. In this case, the strings that become the shellcode are hidden elsewhere in the document.

How then can we get at that shellcode? If you’ll recall, the macros in these documents create some space in memory, place the shellcode there, and then execute it. If we can set a breakpoint in the macro after the shellcode is placed in memory but before it executes, we should be able to extract it. See below:

vidar11.png

Remember, s2 contains the memory address of variable s1. In our instance, s2 = 235423969 (0x0E0848E1).  vp stands for VirtualProtect and will change that memory space to read/write/execute.


Extracting the code from memory: Process Hacker

Opening Process Hacker, we can double-click on the WINWORD.EXE process to look at it’s properties. Choose the Memory tab and we can see all of the regions of memory used by WINWORD.EXE. All we need to do is scroll down to the appropriate base address and expand it.

In this case, the hex address we’re looking for is 0x0E0848E1. This would fall between 0xdd00000 and 0xe100000. Expand 0xdd00000 and we can see 0xe08400. Note also how the Protection column notes that section of memory as RWX.

vidar12.png

Double-clicking 0xe084000 shows us the actual information in that section of memory. Scroll down to 8E1 and you can see the code. You can save this entire section and inspect it later at your leisure.

vidar13.png


Extracting the code from memory: x32dbg

Another way to get at the shellcode is to extract it by using a debugger like x32dbg. There are probably multiple and more efficient ways than how I will be proceeding. But I will be setting a breakpoint at 0x0E0848E1 in order to get to that location and find the shellcode.

To do this, open x32dbg.exe and attach it to WINWORD.EXE.

vidar14.png

It will take a few moments for x32dbg to attach itself to the process. But when it does you will see assembly in all of its glory.

vidar15.png

We would like to jump to the code stored in 0x0E0848E1. Type the following in the Command line near the bottom of the screen and hit ‘enter’.

vidar16.png

We can then click on the “Breakpoints” tab near the top of the screen and see that a breakpoint has been set at 0x0E0848E1.

vidar17.png

Double-click on that location and you will be brought back to the main screen. However, down in the memory dump section, you will see the address of 0x0E0848E1 and the resulting code stored after it. You can then copy and paste that code and store it for examination.

vidar18.png

But what can we do with the results? Here is the ASCII from above stored as a .bin file.

vidar19.png

Upon visual inspection, we can see what looks like might be a URL of sorts… but everything is all jumbled up. How can we make sense of this?


Disassembler to the rescue! (sort of)

A disassembler can take an executable (or the binary above) and translate it into assembly language. I will be using IDA Pro (the free version). Toss ascii.bin into it IDA Pro, choose all of the defaults, and you will be presented with something like this:

vidar20.png

If we had a billion dollars (give or take), there is a wonderful plugin that can be purchased to turn all of this assembly into actual readable code. However, I don’t have a billion dollars.

Therefore, we will have to be a bit more manual with this one. Scrolling down a bit, we can see a long series of push commands. Each push command takes the data after it and pushes it down onto the stack. Once it is done, it can be called by some other function.

vidar21.png
Push it real good.

In this case, all of the information that is being pushed are a bunch of hex characters. To convert them to a readable string, we can click on them and hit the R button (or right-click and choose the line starting with ‘x’).

vidar22.png

Continuing down the line we get to the end where we see this pop out:

vidar23.png

That last line contains a backwards http. If we keep tracing it backwards, we can see the rest of the http://162.218… and so on. Some manual copy/paste could be done at this point and you could reconstruct the URL. I took it and used CyberChef to remove the single apostrophes and reverse the string. However you choose to do it, this string gets assembled into:

hxxp://162.218.210.202/WQRrAzdICaGh7THV/DbegcjODZNhoeY10.php?fUwWF7e6PoMQXA~~=GQ3zv9e44z7-my6fV4QTvsCr8fYItc6ubAjqaahhBF9E_KTa7ck6uZkLb0C6EpAoKus~

And as we saw earlier, it downloads vidar.

Thanks for reading.

Trickbot Analysis – Part 1: Macro Analysis

This is the first in a three-part series of analysis on this malicious document.

Part 1: An analysis of the extracted macros.

Part 2: An analysis of the locked document.

Part 3: An analysis of the dropped javascript file.


Macro Analysis

I extracted the macros using OfficeMalScanner. It dumped two files, NewMacros and ThisDocument. We can see that ThisDocument contains Sub AutoClose(). This means that the macro will run when you close the document.

trickbotmacro01

The sub named Tokio is located in NewMacros. It pulls from other variables in that same file.

trickbotmacro02

A little bit of searching, copying, and pasting in that file allows us to piece together line 28.

VBA.CallByName VBA.CreateObject(Shell.Application), ShellExecute, VbMethod, WScript, /e:JScript "glob", "open", 1

The variable glob is the name of the file that is going to be executed. And that’s what is unusual about this document. Not only does it drop a new file to disk, but it also is going to run it as javascript. A sub called Oslo is used to drop a .css file with the same name as the original .docm file.

trickbotmacro03.PNG

Line 40 grabs the name of the current document and replaces .docm with .css. Line 48 creates the new document. Notice how it grabs the data from ActiveDocument.Content.Text. This data is stored in the pages of the .docm file itself. If you were to open the document, you would see this:

trickbotmacro04

The data that gets dumped into the .css file is all of the yellow text above. In fact, from this point you could copy and paste all of that yellow text into a new text file and find all of the same javascript.

Extracting Macros – oledump.py

Another fantastic and easy to use tool to use for extracting macros is oledump.py by Didier Stevens. You can find the tool here. It’s super easy to use, so let’s get to it. The document that I’m using can be found here.

oledump.py

All you need to do is point oledump.py at a document and let it fly. Looking at the results, you can see the streams that contain macros have the letter M in front of them.

oledump
M is for ‘macro’.

You need to use two switches to extract the macros to screen. I don’t find that nearly as useful as just dumping the output to a .txt file. You can repeat that for both streams.

-s  Select a stream and dump its contents.

-v Decompress the selected stream.

oledumpextract.PNG

After this, you can look at the extracted macros at your leisure!

Extracting Macros – OfficeMalScanner

There are a couple of ways that you can extract macros from a Word document. What follows is one of my go-to tools called OfficeMalScanner. We’re going to be using a .docm file called Order_details_U96144.docm. You can download it here.

SHA256: ABD44B168E3E0E5585570BE6695E3511FAADE07301A64550282D98704A57B525

OfficeMalScanner (link)

This tool is an old one, but it is a workhorse for me. There are a few options here, but when it comes to ripping out macros, you’re going to need the two options called ‘info’ and ‘inflate’.

scan: Use this for the older style .doc files and the like; it will save any macros to a new folder.

inflate: Use this for the newer style .docx files and the like; it will decompress the document into a temporary directory.

OfficeMalScanner
OfficeMalScanner

Using OfficeMalScanner with the switch inflate below, you can see that it decompressed the document and saved it here: C:\Users\REM\AppData\Local\Temp\DecompressedMsOfficeDocument.

OfficeMalScanner-inflate
Note the yellow text at the bottom. It tells you what to do next.

You will want to find the file named VBAPROJECT.BIN under the WORD folder and use OfficeMalScanner on it. Note how it says to use the info switch on it.

OfficeMalScanner-vbaproject

Two macros have been extracted. You can now check them out with your favorite text editor.