Maldoc drops DLL and executes via ExecuteExcel4Macro

Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why – it was using ExecuteExcel4Macro to load and execute a hidden DLL. Looking at the Macros Using Oledump, several macro streams where identified in this document (17 – 20, 23 – 24). Additionally, it contains a stream OLE 1.0 embedded data (see stream 4 above). This…

Read more

Maldoc uses Windows API to perform process hollowing

A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the code inside, a technique known as “process hollowing”. The primary goal of this post is to identify this technique and understand how it is employed. I’ve also posted a video that walks through shellcode analysis using Ghidra on YouTube Starting with the Macros To get started, inspect the macros and see where the code begins execution. For this document, this begins with the Document_Open function – which can be found in the ThisDocument stream. As is often…

Read more

Maldoc uses RC4 to hide PowerShell script, retrieves payload from DNS TXT record

Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately executing macro code, the document goes on further to prompt the user to click an “Unlock File” button and enter a password to decrypt the protected file. This is when the malicious behavior begins and the authors implemented RC4 to decrypt a PowerShell script. The…

Read more