Malicious Document
This analysis was started from word document that i downloaded from virusshare.com.
We can see in the image below that we have a Macro attached to this word document.
With olevba tool we can see that we have a AutoOpen function.This function runs when the word document is opened.
We can copy to Notepad++ to hide unnecessary lines from the code.
In the follow image we can see in line 43 that we have the shell command.
After we can see the os command, I would like to print the payload with MsgBox function.
In the following image we can conclude that we got a batch command.This payload consist with a lot of variables that generate a command for operating system.
From now, i saved the payload to external file.
To deobfuscate the code
I divided the code into 3 parts:
1-Setting variables
2-chaining variables to one string
3-Run the command
Then I ran each part separately in the Windows command line, and printed the string instead of running it.
Until now we can understand that the vba script run a batch script and than call to powershell script.
Let’s investigate the powershell script.
We can understand the powershell tried to download and save exe file (“GGu.exe”) from several sites and execute it.
From static analysis with pestudio we can see that file has a lot of malicious topics and already known in the wild.
Let’s start with Dynamic analysis, Now we can run the sysinternal tool “process monitor”, and export it to csv file.
We can use with procdot tool to import the csv file and we got the following images:
In the following image we can see that the malware tried:reach some malicious domains, changing registry values: disabling the proxy, get persistence in startup.
