Malware Analysis 11/02/2022

I’ve been asked to investigate a case in which a user received a phishing email, asking the user to click on a link to open a PDF Document.

The link points to a Google Drive hosted file, which is not a PDF but a VBS (Visual Basic Script) file.

Please note that the file is UTF-16 encoded (contains Unicode strings). On my first attempts, I screwed everything because I was copy/pasting the content to a UTF-8 document.

After a bit of cleanup, I modified the script to print the commands instead of executing them on lines :
– 25/26
– 70/71

Now the execution calls were disabled, I could safely run the script and check the output :

stage01.vbs output

In yellow, the script moves itself into the Startup section of the Start Menu. This is for persistence and this is built by lines 11-27.

In blue, this is a PowerShell script that is built by lines 29-71.

To go one step further, I copy/pasted the blue part of the output to a PowerShell script, commented the execution part, and added a print of the variable (line 4).

Now the execution call is disabled, I could safely run the script :

stage02.ps1 Output

In yellow, the script downloads a file from hxxp[://]91[.]241[.]19[.]49/CRYPS/F3dll[.]txt and decodes it from base64 encoding.

I did these 2 operations (wget + base64) in my Linux VM. The file command indicates now that the downloaded file is a .NET DLL File :

File identified as a .NET DLL

In blue, the script loads the .NET DLL File and invoke it’s “Run” function with a string as parameter.

The parameter is a reversed string for the URL for hxxp[://]pastie[.]org/p/1xXctK7tSjDf8p1GCEfaRd/raw but this URL was not reachable anymore at the time of this analysis.

The hash of the .NET DLL file is already known and flagged as malicious by Virus Total : HERE

Virus Total Results

I didn’t dive into the DLL but most probably it is a dropper that would download another payload from the unavailable URL and execute it …

Maybe next time 🙂

Dll fileSHA2565F0609ECE865E1BE9E9A138DB367289F16B331ABBEEFCD032B2CCBFCB877D09E

Leave a Comment

Your email address will not be published. Required fields are marked *