An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.
SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6
The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.
The malware sample analyzed in this video uses VBA code to extract a payload contained in Excel spreadsheet cells.
SHA256: F00252AB17546CD922B9BDA75942BEBFED4F6CDA4AE3E02DC390B40599CE1740
The following is the Python code which mimics the VBA extraction code.
from Pro.SiliconSpreadsheet import *
from Pro.UI import proContext
v = proContext().getCurrentAnalysisView()
if v.isValid():
view = SiliconSpreadsheetWorkspaceView(v)
ws = view.getSpreadsheetWorkspace()
sheet = ws.sheetFromName("Final Offer")
col = SiliconSpreadsheetUtil.colIndex("BS")
text = ""
for i in range(100, 701):
cell = sheet.getCell(col, i)
if cell.isEmpty():
continue
text += cell.value
print(text[::-1])
Note: the code must be executed while the spreadsheet is open in the analysis view.
In the upcoming version of Profiler Advanced we have introduced a new useful action, namely the URL Download action.
Many times in previous posts we have analyzed some malware which at the end of its shellcode ended up downloading a binary from the internet and executing it. We thought it would be nice to give our users the possibility to anonymously download content from the internet in order to continue the analysis.
One way to download anonymously from the internet using our new action is via Tor. On Windows it’s sufficient to install and run the Tor browser.
The action will automatically try to load a possible URL from the current context, be it hex view, text editor or clipboard.
The dialog of the action offers different configuration settings: headers, user agent, download method (direct, SOCKS4, SOCKS5) along with relative parameters, anonymity check and also what to do with the downloaded content (either download it to file or preview it in a hex view).
Since we’re using Tor, we can either use the SOCKS4 or 5 method. We specify our local address and the port onto which Tor is listening for connections, in this case 9150.
The anonymity check is performed against our own https secured server: it will fetch the real IP by connecting to our server and then try to connect again via the secure method.
When the anonymity verification option is selected, before downloading the payload, we are asked by a message box to confirm the success of the anonymization.
If we click on OK, Profiler will then fetch the actual payload.
If we chose to preview the content in a hex view and decide later that we want to save it on disk, we can do so by selecting all the bytes (Ctrl+A) and then copying them into a new file via the copy menu.