Not long ago a suspicious looking email with a non-standard “.dotm” attachment came across my desk for analysis. (Looks totally legit, right???)  While digging into it I figured I would share a bit on deobfuscating protected VBA strings so other Cyber Warriors can beat the bad guys too!!!

This file extension is identified as a macro-enabled Word template, not something that is normally sent via email, so we decided to take a further look and dig into it a bit.

Once opened, the document instructs the user to enable macros, which runs malicious visual basic script embedded in the document.

Once the malicious macros are enabled, an obfuscated visual basic script is dropped in the users “AppDataRoaming” directory and executed.  This script contains obfuscated VB script and encoded strings to thwart analysis.

Upon inspection of the code, we can see readable strings obfuscated with a combination of upper and lower case replacement and simple arithmetic based techniques that can easily be read through or replaced in the code. (E.g. 3016 – 3015 is equivalent to 1).

Along with these basic code obfuscation techniques to make reading and analysis difficult, the code also employs an internal function A9y() that appears to be a string decryptor routine.

To get a full understanding of what this VBA script is up to we need to decode these internal strings.

One way of approaching this is to examine the internals of the A9y() function.  We can see it is not easy to decipher but with a little work we can clean it up.

We clean up the code by renaming the functions and variables to something human readable.  We can see now that the encoded string is being XOR’d with the reversed keyString.

Now we could write a script that emulates the decryption function or…

…just let the VB script do it for us.  J  A fast and easy way to do it is to call Wscript.Echo() right before the main body of the code and let the VBS decode the strings for you.  (Make sure you are offline and in a Sandbox environment!!!!)

In this instance, “3C3A1D301F2D063708772930033C3C201C2D0A34203B053C0C2D” with the key “Yo” produces the string “Scripting.FileSystemObject”.

A faster way to decode all the strings is to echo all of them and dump the output to a file using the command: cscript.exe //NoLogo “C:<path to VBS file>24130.vbs” >> “C:24130.txt”

We can see now that all the strings have been decoded and echoed into a text file.  We can now see a callback domain and IP as well as other strings that are used by the malicious code.  Now it is a matter of going back to the original source file and plugging in the decoded strings to make it more readable.  Additionally, we can look for hosts connecting to the malicious sites and for hosts downloading the “mhtr.jpg” file which, in this case, turns out to be the Cerber Ransomware.

To learn more about Cloudburst Security’s malware and reverse engineering solutions, email us at: info@cloudburstsecurity.com