Introduction
Ok, I know malicous documents, specifically .DOC, so how is this one different? Well, we will get to that in a bit. I wrote this posting as more of an introduction to Visual Basic script deobfuscation and hope others might find it useful/interesting.
Initial Detections
It all started with many users reporting suspicious emails. These emails were a little different from the usual "Open this email and enable macros to view the content".
First, these emails contained a .DOCX rather than the older .DOC or a .DOCM. Ok, that is odd.
Secondly, they were encrypted. The email they were attached to, gave instructions on how to open the email with the password.
Initial Analysis
So the first thing done, is to see what VirusTotal and Hybrid-Analysis have on this encrypted document. Let's see....
Not starting so good....
Maybe Hybrid has more....
Ok. So nothing much from any of the usual online sources.... To doublecheck, lets try some of our commandline tools.
So, it is a valid OLE document, however has no macros to speak of. One issue I noticed, is that OLEID states that the file is not encrypted and not a Word document. I will follow up on this in the near future.
Decrypting DOCX
So lets see about getting something useful outta this... To do this, it was quite easy. I could have used MS Word, however to be a bit safer, lets use LibreOffice....
First, we are presented with this
Ok, once the (correct) password is entered, we finally see the true document....
Interesting. Seems the document has 3 embedded objects. We will work on those in a bit. First, lets see what our tools say about the document NOW!
Ok, now that looks ALOT more malicious. So far so good I would say. What more can we tell though? Those embedded OLE objects look very suspicious. Lets check it out...
OLEVBA states there is no macro. Ok, so not using macros... Lets see what other tools we have will tell us....
Ok, OLEDUMP tells us a bit more. Three objects embedded. And they all seem to have the same sizes. Lets extract them and run a cryptographic hash to see if they are indeed the same....
So they ARE all the same. Cool. Lets look at what we got
So looks like standard Visual Basic Script, although obfuscated. Ok, so now here is where the fun begins....
Visual Basic Deobfuscation
First thing I decided to do, was load the script up in Notepad++ and turn on syntax highlighting
I find syntax highlighting helps alot. So first thing I like to do, is to start cleaning up the silly cAmElCaSe I see in the document (a simple find/replace works nicely), and put some extra whitespace between all of the functions and subroutines...
Ok, that is a bit better. First thing I notice, is the use of mathematical functions. Most likely it is used to represent simple numbers. Lets go and take care of all of those....
The KyVrqqM function being called here looks ALOT like some sort of decryption routine. Will look at this in a bit.
Another thing I noticed while doing the original deobfuscation, is that there appears to be a bunch of junk instructions.
This pattern repeats (with different variables and data) over and over and over again. When examining the variables, they are only used within these three lines. Which means they are essentially a "Do Nothing" collection of instructions. Lets delete them and see what that does to the size of our script...
WOW, doing just that, the file has gone from 464 lines, to just 170. This also revealed some other 'complication' techniques, like using a function to call a single function. We can simplify that further...
Lets see where OgkD is called, and convert it into a simple Mid itself (there are a few different functions that do this, including one for Asc, and Chr). Lets do them all and see what happens...
Down to 158 lines. So fewer gains but still, lets continue! Next I look for variables that are set but next used (a simple find or count should indicate it is safe to delete. Then I look for variables that are set to a static piece of data and then used elsewhere (non-mutable). Those can be substituted with no effect.
Down to 101 lines. That is alot of junk. Probably more there that could be removed, but so far, looks like a job well done. Code is much more readable and it is becoming clearer this script is meant to download something, write it to a file and do something with it.
One item that keeps coming up, over and over again, is this:
I am pretty sure this is some sort of decryption given the field "encodedtext", "key", offset1, offset2. Lets copy these to another file along with the function....
Two extra functions had to be added in. Looks like a mathematical one, and a possible xor script. Lets run and see what it gives...
Now that is Interesting. We have a couple of http strings, along with some commands designed to run DLLs....
Downloaded Payload
Now lets try to download those files and see what they give us...
Hmmm, the first link gives us a binary file. The 'file' command only lists it as 'data' Not very useful. What about the second file? Well that was time wasted. Unable to find a copy of the file at all. So lets start on that first one.
The file shows up in VirusTotal interestingly enough. Still not a true virus, but enough people know about it to show us something.
Something smells familiar though. My hunch is it has been xor'ed. I see some xor like function in the Visual Basic script, but I am feeling a bit lazy. Back to one of Didier's programs, XORSEARCH.
Ok, now that was easy. Lets see if we can find 73 anywhere in our script? No dice.... Oh but wait, convert from hex to decimal gives us 115. Lets look that up.... BINGO!
Looking at that last line, I noticed that the YS function appears to be that same one that looked like an XOR function. Guess I was right. XORed given ascii representation of Xb808 with 115 being the decimal key.
So, lets XOR this file and see what pops out on the other end. For this I will use Didier's tools again (xorsearch -p -s xoredfile.bin)
So this finally gives us our DLL! So lets look at what VT has to say about it....
So definitely a naughty little program. I will end it here as my DLL reversing is not yet up to where I want to post publicly about it :) Hopefully later... Hope you enjoyed!
Shout Outs
Here I want to put in a few links and shout outs to places, and tools that I have used and helped me out through my work here.
I was asked on a mailing list of mine to put in some more text. Well this might not be what he wanted, but thought I would upload a little ugly sed sled (you will see why) to help with the camel case and break things apart a little....
sed 's/function/Function/Ig' | sed 's/set/Set/Ig' | sed 's/end/End/Ig' | sed 's/if/If/Ig' | sed 's/do/Do/Ig' | sed 's/and/And/Ig' | sed 's/write/Write/Ig' | sed 's/read/Read/Ig' | sed 's/responsebody/ResponseBody/Ig' | sed 's/then/Then/Ig' | sed 's/else/Else/Ig' | sed 's/dim/Dim/Ig' | sed 's/sub/Sub/Ig' | sed 's/create/Create/Ig' | sed 's/object/Object/Ig' | sed 's/textfile/TextFile/Ig' | sed 's/environment/Environment/Ig' | sed 's/get/Get/Ig' | sed 's/asc/Asc/Ig' | sed 's/chr/Chr/Ig' | sed 's/mid/Mid/Ig' | sed 's/error/Error/Ig' | sed 's/true/True/Ig' | sed 's/status/Status/Ig' | sed 's/resume/Resume/Ig' | sed 's/send/Send/Ig' | sed 's/open/Open/Ig' | sed 's/next/Next/Ig' | sed 's/for/For/Ig' | sed 's/ to / To /Ig' | sed 's/type/Type/Ig' | sed 's/savetofile/SaveToFile/Ig' | sed 's/close/Close/Ig' | sed 's/loop/Loop/Ig' | sed 's/err.number/Err.Number/Ig' | sed 's/until/Until/Ig' | sed 's/End Function/End Function\n/g' | sed 's/End Sub/End Sub\n/g'