Analysis of Malicious Excel Spreadsheet | By Monnappa K A

This article is from The Unhackable Cloud edition, that you can download for free if you have an account on our website. 


Analysis of Malicious Excel Spreadsheet

Malicious Office documents are often used in targeted attacks against individuals or organizations. Attackers embed malicious code into documents, Excel spreadsheets or Adobe Acrobat PDF files. This article contains the analysis details of the malicious spreadsheet that delivered malware to its victim in a spear phishing campaign. Malware was delivered to victims via spear phishing emails as an Excel file (.xlsb). Upon opening this spreadsheet, a malware executable is dropped using the VBA macro code and to distract the user, it also opens a decoy spreadsheet.

This article focuses on the analysis details of the Excel spreadsheet and obfuscation techniques used by the attackers.

When an Excel file is opened, it prompts the user to enable a macro as shown below:

Once the macro is enabled, the VBA macro code is executed which drops the malware and the decoy spreadsheet is shown to the user as shown in the below screenshot.

 

1) Manual Analysis of VBA Macro Code

In order to understand how the malware is delivered to the victim, the VB macro code was extracted and manually analyzed.

a) Extracting the VBA macro from Excel

The first step was to extract the VB macro code. To extract the code, a tool called OfficeMalScanner was used. OfficeMalScanner comes with various options; one such option is “scan” which scans the documents for malicious artifacts. Running the OfficeMalScanner with the scan option does not reveal much because OfficeMalScanner only works with legacy binary Microsoft Office files (.doc, .xls, .ppt). Also, the OfficeMalScanner reported that the Excel spreadsheet is in Open XML format which is the new format introduced in Microsoft Office 2007.

XML-formatted versions of Microsoft Office files, which have extensions such as .docx, .xlsx, and .pptx, are actually zip-compressed archives that contain several files. This archive can be extracted using the "inflate" option of OfficeMalScanner, which will identify and extract the files that contain VB code. As you can see in the below screenshot, after running the OfficeMalScanner with inflate option, the tool identified multiple binary (.bin) files. In this case, the file with the name "vbaProject.bin" file contains extracted VB macro code in a binary format.

Running OfficeMalScanner on the extracted binary file (vbaProject.bin) with the “info” option shows that it contains the VB macro code.

b) Extracting the Malicious Payload from VB Macro

Now the VB macro is extracted, the next step is to analyze the VB macro code. Analyzing the VB code shows that to build the final payload, 9 functions (A0 to A8) are called and the results of these functions are then concatenated to form the final payload which is then written to a file with the name NTUSER.dat<guid>.exe.

Analyzing the functions (A0 to A8) shows that the payload content is obfuscated. The function uses ASCII characters codes instead of actual characters. This is to make the analysis difficult and to avoid detection by security products, such as computer antivirus and intrusion detection systems. The content of the functions A0 and A1 are shown in the below two screenshots.

To decode and get the final payload, a Python script was written which defines the exact same functions (A0 to A8) defined by the malware and then calls these functions, which decodes the malicious content (as malware does) in every function and the results from these functions (which is the decoded content) are concatenated and written to a file "decoded.bin" (exactly the same way the malware builds the final payload  "NTUSER.dat<guid>.exe"). The content of the Python script is shown below.


After running the Python script, the final payload is decoded and extracted to "decoded.bin" which is an MS DOS executable. At this point, we know that malware decodes the content by calling those 9 functions and the results are concatenated and then drops an executable file (NTUSER.dat<guid>.exe).

Searching for the md5 hash of the extracted file on VirusTotal shows that it is a malware.

c) Persistence Mechanism

Further analyzing the VBA code shows that once the executable (NTUSER.dat<guid>.exe) is generated by calling the 9 functions, it builds some content and then writes it into a batch file (tmp.bat).

To understand the content written to the batch file (tmp.bat), a Python script was written which builds the content that will be written to the batch script (tmp.bat) by decoding the encoded content (as built by the malware) and prints it to the screen. The below screenshot shows the content of the Python script.

Running the Python script shows the content that will be written to the tmp.bat file.

Now we know that the malware builds batch file (tmp.bat), which when executed, adds a registry key for persistence with the value name of "My App" and the value data will be the path to the executable "NTUSER.dat<guid>.exe" and it also deletes itself (that is tmp.bat).

d) Executing Malicious Code

Once the malware generates the executable (NTUSER.dat<guid>.exe) and the batch file (tmp.bat), it then executes these two files using cmd.exe via ShellExecute API call as shown in the below screenshot.

At this point, we know when an Excel file is opened, a malicious executable file is dropped on the disk and then a batch (.bat) file is executed which adds a registry entry for persistence and then deletes itself.

2) Sandbox Analysis of executable

The executable (decoded.exe) that was extracted using a Python script from the Excel spreadsheet was analyzed in the sandbox. The below screenshot shows the callback communication made by the executable to the C2 ip 84.11.146.62 on port 13942.

3) Sandbox Analysis of Excel

To confirm the finding of manual analysis, the Excel spreadsheet itself was run in a sandbox. After executing the Excel spreadsheet in a sandbox, you can see that Excel drops the file "NTUSER.dat<guid>.exe and the "tmp.bat" and then executes two instances of cmd.exe. This confirms our findings from the manual analysis.

Conclusion

Malicious documents are often used in targeted attacks. Analyzing such malicious documents can help the investigator/incident responder answer various questions and understand the attacker methodology.

References

  1. a) OfficeMalScanner:

http://www.reconstructer.org/code/OfficeMalScanner.zip

  1. b)  Extracting VB Macro from Malicious Documents

https://digital-forensics.sans.org/blog/2009/11/23/extracting-vb-macros-from-malicious-documents/

Author bio

Monnappa K A is based out of Bangalore, India. He works with Cisco Systems as an information security investigator focusing on threat intelligence, investigation of advanced cyber attacks. He is a core member of the security research community "SecurityXploded." His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. As an active speaker at security conferences like Nullcon and SecurityXploded, he has presented on various topics which include memory forensics, malware analysis, rootkit analysis, and also conducted training at FIRST (Forum of Incident Response and Security teams) TC in Amsterdam. He has also authored various articles in Hakin9, eForensics, and HackInsight magazines.

 

Did you liked the article? If you want to read more, check the full free edition:

The Unhackable Cloud >>

Related Magazine

May 14, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013