![]() The next actions to performed are contained into “%temp%\errors.bat” script, which is executed by a copy of “cmd.exe” stored into %appdata% folder, named “msutil.exe”. Obfuscated macro codeĪfter a deobfuscation phase, the malware behavior emerges. This trick is able to bypass all the major sandboxing services, like Any.run and Hybrid Analysis. In fact, it checks if the machine’s domain name is equal to the computer name and if this condition holds the previous “ Kplkaaaaaaaz” variable is set to “ This document contains VBA.”, causing the infection chain to stop. ![]() ![]() This technique, include part of the payload into a Word Label object or cells, allows to hide and embed more code directly into the attack vector, lowering the chances of detection.Īlso, the malware adopts an evasion technique to determine if it is execute in a sandboxed environment. It will be used to fill the next-stage bat file. The box named “ Kplkaaaaaaaz”contains a base64 encoded payload, subsequently extracted by macro execution and assigned to the “dopzekaoooooooo” variable. Analyzing the document view with more attention it possible to notice a suspicious chunk of strings in the smallest box in the left of the document: Fake pop-up errorĪfter a few seconds, a pop-up window is shown, reporting an error related to the decryption of the document, and then the Word document is automatically closed.Īt this time, the unaware victim may think there is a problem with the document and nothing malicious happened, but actually the malware already proceeded with its operation in stealthy way. The initial document invites the user to enable MACRO execution to display the real content, silently starting the infection chain in background while other decoy components are shown to the victim.įigure 1. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |