VBA Maldoc & UTF7 (APT-C-35)

Published: 2022-08-16
Last Updated: 2022-08-16 13:34:33 UTC
by Didier Stevens (Version: 1)

0 comment(s)

I was asked for help with this maldoc sample: 394c97cc9d567e556a357f129aea03f737cbd2a1761df32146ef69d93afc73dc.

It can be found on MalwareBazaar too.

Looking at it with oledump.py, we can see the VBA code:

This is the VBA code:

A couple of declare functions for WIN32 API functions.

Filling of an array with hexadecimal values (&H..):

And then calling the WIN32 API functions:

Let me translate their meaningless names into something more understandable:

And now we see MultiByteToWideChar is called. Remember, for later in this analysis, that its first argument is 65000.

Let's grep for the 32-bit code:

And decode the hexadecimal data with re-search.py:

There are some NUL (0x00) bytes in there that we need to fix, since they only take one hexadecimal character:

And now we can convert this to binary:

This string here, is converted with MultiByteToWideChar and argument 65000. 65000 is the code page for UTF7. So we need to convert this from UTF7 to UTF16. This can be done with translate.py:

This throws an error because of a character that can't be encoded. I'm just going to ignore errors, and see where we end:

This is very interesting: binary data followed by source code (assembler). This is probably a mistake by the malware authors, they've appended part of the source code to the binary shellcode.

I will save this shellcode to disk, and analyze it with scdbg:

The shellcode executes and crashes after 3332 steps. The analysis report doesn't find anything in memory.

Let's try with the 64-bit shellcode:

This shellcode has decoded itself into memory. Let's dump it and take a look:

And here we see the URL (the protocol is a bit obfuscated, this could be the result of the UNICODE translation error I ignored).

Turns out that this is a sample from APT-C-35, according to this blog post (I found it by searching for MyAssemblyMacrosMain which appears in the leaked source code).

And I will need to figure out why scdbg was able to analyze the 64-bit shellcode and not the 32-bit, because IIRC, scdbg doesn't handle 64-bit shellcode ...

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: apt maldoc utf7 vba

0 comment(s)

ISC Stormcast For Tuesday, August 16th, 2022 https://isc.sans.edu/podcastdetail.html?id=8132

Comments

What's this all about ..?

password reveal .

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

https://thehomestore.com.pk/

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

https://defineprogramming.com/

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

Enter corthrthmment here...

Internet Storm Center

VBA Maldoc & UTF7 (APT-C-35)

Comments

Anonymous

Dec 3rd 2022
10 months ago

Anonymous

Dec 3rd 2022
10 months ago

Anonymous

Dec 26th 2022
9 months ago

Anonymous

Dec 26th 2022
9 months ago

Anonymous

Dec 26th 2022
9 months ago

Anonymous

Dec 26th 2022
9 months ago

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Dec 26th 2022
9 months ago

rthrth

Jan 2nd 2023
9 months ago

VBA Maldoc & UTF7 (APT-C-35)

Comments

Anonymous

Dec 3rd 202210 months ago

Anonymous

Dec 3rd 202210 months ago

Anonymous

Dec 26th 20229 months ago

Anonymous

Dec 26th 20229 months ago

Anonymous

Dec 26th 20229 months ago

Anonymous

Dec 26th 20229 months ago

Anonymous

Dec 26th 20229 months ago

https://defineprogramming.com/

Dec 26th 20229 months ago

https://defineprogramming.com/

Dec 26th 20229 months ago

rthrth

Jan 2nd 20239 months ago

Dec 3rd 2022
10 months ago

Dec 3rd 2022
10 months ago

Dec 26th 2022
9 months ago

Dec 26th 2022
9 months ago

Dec 26th 2022
9 months ago

Dec 26th 2022
9 months ago

Dec 26th 2022
9 months ago

Dec 26th 2022
9 months ago

Dec 26th 2022
9 months ago

Jan 2nd 2023
9 months ago