Maldoc uses template injection for macro execution

I recently came across a handful of malicious office documents (maldocs) whose network traffic struck me as a slightly odd. As you can see in the screenshot below, there are several HTTP requests to the hxxp://moveis-schuster-com.[ga] domain and some of these requests appear to be for a DOTM file. A DOTM file is a macro-enabled office template file, so I dug in a bit more. As is typical in my workflow, I first inspected the document using oledump – no macros. This is no surprise as the HTTP traffic would indicate that the macros come later. My next step was…

Read more

Maldoc uses RC4 to hide PowerShell script, retrieves payload from DNS TXT record

Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately executing macro code, the document goes on further to prompt the user to click an “Unlock File” button and enter a password to decrypt the protected file. This is when the malicious behavior begins and the authors implemented RC4 to decrypt a PowerShell script. The…

Read more