Got a friend that received the following mail 8 or 9 times in his inbox and he wondered if I would take a look at it. How can I say no? The mail looked like this:
It has been some time since I last reversed something so I taught it would be fun just to brush up some things. The thing that triggered me was that it was a .docm file. These files are often very fun to reverse. My first obstacle was to actually be able to download the file. It was caught by Windows Defender immediately after download and was reported into to my Advanced Threat Protection preview. (Great!!)
After I got the file down to a VM I started to go through the VBA macro code. I realized pretty fast that the VBA code was just a downloader for something bigger and more bad. I entered the breakpoint at the correct place in the code and commented out the one line that actually executed the downloaded binary. The obfuscated code line that triggered execution looked like this: NOCHulicaFONARaptekaIVAGMAKO.Open (NOCHulicaFONARaptekaIVAUUUKA)
Before the VBA code tries to execute the binary, the code had downloaded binary data from the following URL: hxxp://rondoncompany.bake-neko.net/HJ6bhGHV (don’t download please, you could get infected if you don’t know what you are doing )
It is not possible to go directly to this URL to download the ransomware, the code inside the word document actually does some XOR-ing and stuff to make it a valid executable. The functions and stuff in the VBA code are written in Spanish. I saw for example these words:
- PrimeraVez = FirstTime
- Actualizarentrada = InputUpdate
- Salida = exit/output
- NombreUsuario = Username
- mensaje_cancelar = message cancel
Here are some screenshoots of the VBA code:
Decrypt function:
Obfuscation/Misleading using SQL strings ( I really hoped I would find a username and password to an SQL server 😉 ):
The function calls that actually downloads and executes the downloaded malware:
The file I got down using the VBA code was the Zepto ransomware. It was dropped as ferdoxs.exe and had following SHA256 sum : 945936b46faed93f1aadfa9894ece1d06f86033048c5fc07f73fbe1f23a40fe0
I did not have the time to start reversing Zepto, but you can read more about it here: http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html
Virustotal reported that only 15 had coverage when I did the submit:
My desktop after executing Zepto and placing a bogus hand.exe file inside the same folder:
I hope that this blogpost can raise a little awareness about how a malware phishing mail looks like. The word document was completely empty. The most fun about this was that Windows Defender in Windows 10 actually blocked me from downloading the word document since it contained a malware downloader. That is nice and kudos to Microsoft!