This malicious OneNote document contains two obfuscated batch scripts and we’ll be using our commercial Simple Batch Emulator package to understand what they do.
SHA256: 46149F56028829246628FFAFC58DF81A4B0FF1C87ED6466492E25AD2F23C0A13
Continue reading “Obfuscated Batch Scripts in OneNote Document”
This malware gives us a chance to see the recently introduced Silicon Shellcode Emulator in action.
SHA256: 8CF1E49C74FB05DE954A6B70281F47E3CBD021108B0EE11F4A59667FF28BFEE9
We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.
SHA256: 2B0B2A15F00C6EED533C70E89001248A0F2BA6FAE5102E1443D7451A59023516
The unidentified embedded object in the OneNote document is an ISO file.
In this post we’re going to analyze a multi-stage PowerShell malware, which gives us an opportunity to use our commercial PowerShell Beautifier package and its capability to replace variables.
Sample SHA2-256: 2840D561ED4F949D7D1DADD626E594B9430DEEB399DB5FF53FC0BB1AD30552AA
Interestingly, the malicious script is detected by only 6 out of 58 engines on VirusTotal.
An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.
SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6
The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.
This analysis was originally posted as a thread on Twitter.
SHA256: B17FA8AD0F315C1C6E28BAFC5A97969728402510E2D7DC31A7960BD48DE3FCB6
By previewing the spreadsheet in Cerbero Suite, we can see that the macros are obfuscated.
An obfuscated formula looks like this:
=ATAN(83483899833434.0)=ATAN(9.34889399761e+16)=ATAN(234889343300.0)=FORMULA.ARRAY('erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT24&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT27&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT29&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT30&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT31&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT33&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT34&'erj74^#MNDKJ3OODL _ WEKJKJERKE '!AT35, AH24)=ATAN(2.89434323983348e+16)=ATAN(9.48228984399761e+19)=ATAN(2433488348300.0)
The malware uses the ATAN macro and a very long sheet name for obfuscation.
We open a new Python editor and execute the action “Insert Python snippet” (Ctrl+R).
We insert the Silicon/Spreadsheet snippet to replace formulas.
We uncomment both example regular expressions, as they were written based on this sample. One regex removes the ATAN macro and the other removes the sheet name from cell names. Since there’s only one spreadsheet, no extra logic is needed.
We then execute the script (Ctrl+E).
The script modifies 12 formulas. At this point we can easily identify CALL and EXEC macros and use the Silicon Excel Emulator to emulate them.
Just by emulating CALL/EXEC, we can see that the malware creates a directory, downloads a file into it and executes it.
Finished.
From a Twitter post by InQuest, we analyzed an interesting malware:
Encrypted MS Office Document, VBA, Windows Link File (LNK), OLE objects, Windows Help Files (CHM), PNG steganography and Powershell.
SHA256: 46AFA83E0B43FDB9062DD3E5FB7805997C432DD96F09DDF81F2162781DAAF834
The analysis should take about 15-20 minutes in Cerbero Suite.
Highly recommended!
SPOILER ALERT: The images below show all the steps of our analysis.
