Analyzing an Office Maldoc with a VBA Emulator

Maldoc, Malware 1 Minute

Today we were informed of another maldoc sample. After a quick look, we were convinced that this sample would be a good candidate for Philippe Lagadec’s VBA emulator ViperMonkey.

The maldoc in a nutshell: when the spreadsheet is opened, the VBA code builds a long JScript script and then executes it. This script contains base64 code for an executable (ransomware Petya GoldenEye version), which is written to disk and executed. The building of the script is done with heavily obfuscated VBA code, so we thought it would be a good idea to try ViperMonkey. ViperMonkey is a free, open-source VBA emulator engine written in Python. You can use it to emulate VBA code on different platforms without MS Office.

Taking a look with oledump.py at this sample (md5 b231884cf0e4f33d84912e7a452d3a10), we see it contains a large VBA macro stream:

20161207-140153

 

Here is the end of the VBA code:

20161207-140222

Let’s analyze this with ViperMonkey:

vmonkey.py sample.vir

Since there are a lot of VBA statements, it will take ViperMonkey some time (couple of minutes) to parse this:

20161207-134559

In the end we get this result:

20161207-135220

ViperMonkey doesn’t identify any suspicious actions, but we see that the ActiveX object to be created is “MSScriptControl.ScriptControl”. This string was obfuscated with Chr concatenations, and ViperMonkey was able to parse it. To parse all obfuscated expressions like this, we provide option -e to ViperMonkey:

vmonkey.py -e sample.vir

20161207-140124

 

We this information, we can understand what subroutine Workbook_Open does: it executes a JScript script stored in variable LQ3.

How to we get the value of LQ3? We can set ViperMonkey’s log level to debug, and log the emulation of all statements. This will produce a lot of output, so it’s beter to redirect this to file.

vmonkey.py -l debug sample.vir > output.log 2> debug.log

Searching for the last occurrence of string “setting LQ3” in debug.log, we find the JScript script:

20161207-141806

This script decodes a BASE64 payload, writes it to disk and then executes it: it’s a new variant of Petya ransomware, GoldenEye.

 

Published by Didier Stevens

Published

3 thoughts on “Analyzing an Office Maldoc with a VBA Emulator

  1. Pingback: Week 49 – 2016 – This Week In 4n6
  2. Pingback: Videos: Analyzing an Office Maldoc with a VBA Emulator | NVISO LABS – blog
  3. Pingback: Overview of Content Published In December | Didier Stevens

Leave a Reply