Looking at the Macros
Using Oledump, several macro streams where identified in this document (17 – 20, 23 – 24).
Additionally, it contains a stream OLE 1.0 embedded data (see stream 4 above). This can also been seen in the office document:
If you select this document object, it will write it to a temp location within the operating system, usually %USER%\AppData\Local\Temp\<TEMP FILENAME> – you can see the complete path location by right-clicking on the object and selecting Packager Shell Object Object -> Properties. If you inspect this file, you’ll see that it is a “COM executable for DOS” with a size of 606 KB. You might be thinking this is it – our malware, but there’s a little more to go.
Tracing The Macros
As you can see from the OLEDUMP output from above, in addition to the macro streams there are also several user forms (streams ending with an ‘f’ and ‘o’). These are often used to store additional resources needed during execution and will be significant here. The macros begin execution under the WorkBook_Activate function, which is primarily responsible for calling the Show method of one of the user forms.
This will, in turn, call the corresponding Activate function for that user form. This simply calls another function – NigebrednehC.
This function is responsible for all of the significant functionality and we’ll explore some of the highlights here.
Dropping the DLL
The first thing this function does is create strings that represent several locations in the user’s TEMP folder structure.
ofbl is the location where the DLL will be dropped, in this document that was at %USER%/AppData/Roaming/Microsoft/Windows/Templates/rofce.dll. ctackPup will be used to create a copy of itself as paper.xlsx in %TEMP%. ctackPop will be.. Finally, ctackPip is the excel document written at %TEMP% with a .zip file extension.
Once the document has been copied (via function VistaQ and FileCopy), the two copies will be present in the users temp folder.
The next step is to copy the embedded object out of the original spreadsheet. To do this, the macros make use of the structure of the excel document and copies the object directly from paper.xlsx->xl->embeddings->oleObject1.bin to the %TEMP% folder.
I mentioned that this isn’t quite the payload. The next function to be called is Composition. This will open the file oleObject1.bin (extracted from above) and begin reading the file, it will do this until it encounters the magic bytes for a PE file – 4D and 5A (MZ). Once these bytes are encountered, it reads until the end of the file, ignoring all of the information above. There is the beginning of a PE file closer to the beginning of the stream that doesn’t inlcude the MZ bytes, I suspect this was used as obfuscation.
Executing the DLL
Finally, the DLL is ready for execution. This is done with a call to ExecuteExcel4Macro, calling the CALL method and providing the path to the DLL for execution.
This has proven to be a stealthy way of executing code on the host once macros are enabled, as there is no process activity to trace. This can be seen in the following Any.Run activity – in which there is a DNS request from the excel process to get-downloads.com, but no additional/observable process activity through the execution of a Powershell script (or similar).