Posts

Showing posts from September, 2018

A Deep Dive Into Obfuscated Macro

Image
[Imported From X-Sec Blog, just for backup]

Today, let's see a malicious document with obfuscated macro.


As you can see, the document has two parts contained macro. You can decompile & dump them through oledump or OfficeMalScanner, in this case, I uses OfficeMalScanner to dump macros.


"AutoOpen" function will be executed when opening this document, so we need to analyze this function first.

From this image, we can find lots of useless codes, such as:

Dim kPzzJ(2)
kPzzJ(0) = Left(mMIojQ, 128)
kPzzJ(1) = Right(QzcsN, 271)

Define an array, modify its element's value, but this array is never being used.

After useless code removal, we can only find one line is important:

Shell@ znTPdbX + mBYjUWTQKAI + oUCbzPVliID, UbJHpY

It executes command from the combination of three string variables:  znTPdbX, mBYjUWTQKAI and oUCbzPVliID, and uses 0 as its second argument(0 -> vbHide, means the window to execute command is hidden)


As for the second macro, we can see still find …

Encrypted VBScript

Image
[Imported From X-Sec Blog, just for backup]

Recently we caught a VBScript which uses an interesting way to hide its datas.

First, let me open it with UltraEdit.


As you can see, there are lots of "useless" lines, so we need to see its end.


Well, content told us the "useless" lines we saw before are useful, it calculates the length of every line, plus 31, then converts to char, and execute decrypted script.


If you open the script file in hex mode, you can see there are lots of spaces(0x20->" ") in every line. This script uses this skill to hide its datas.


After decryption, it's clear that the script is a downloader.

Related MD5:

A69EE2F401EA22262F7272DC49FF6A52

3C98965423F814612729273B49F94C9B

X-Sec Antivirus Detection:

Cloud Engine:

Cloud:Trojan.Script.Downloader

[DISCONTINUED] Rising Security Cloud Client Static Scan Test

Due to some personal reason, I decided to stop testing this product.
But its performance is surprised me a lot :-)
=================================
Time: Every Saturday(Most of the time)
Samples: Collected from Monday to Friday
Test Product: Rising Security Cloud Client(latest official stable version), RAMECL
=================================
2018.09.01 15:34
Samples: 2018.08.27-2018.08.31
Quantity: 246

Rising Security Cloud Client
Program Version: 3.0.0.82
Virus Definition Version: 30.0901.0001
Offline: 40/246 16.26%

RAMECL
Online: 244/246 99.19%
Offline: 20/246 8.13%
=================================
2018.09.08 18:31
Samples: 2018.09.03-2018.09.07
Quantity: 264

Rising Security Cloud Client
Program Version: 3.0.0.82
Virus Definition Version: 30.0908.0001
Offline: 57/264 21.59%

RAMECL
Online: 263/264 99.62%
Offline: 17/264 6.44%
=================================
2018.09.15 11:01
Samples: 2018.09.10-2018.09.14
Quantity: 282

Rising Security Cloud Client
Program Version: 3.0.0.82
Virus …