While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked my interest was every cell’s value was either empty or contained a float of range 0.0 to 2800.0. Let’t find a sample in our data and get it done!
We can see from olevba and oledump that the spreadsheet contains VBA macro code and has a function triggered by an ActiveX event. Let’s see what
Much of the VBA code overlaps my previous analysis: loop over all cells containing constants (xlCellTypeConstants), perform some deobfuscation, split the resulting data on various special characters. What we are interested in is the deobfuscation technique, and this one is rather innovative.
Basically, a list is initialized and then the float value in each cell determines the offset into the list to modify and the row of the cell, mapped to an ASCII character, determines the modified value. The second half of the deobfuscated data (
okd) must be the XLM macro as each command is inserted into the spreadsheet and executed. The data is split on
] to separate each command. And the first half of the deobfuscated data (
nnk(0)) is probably a list of URIs, as any
? in the XLM macro is replaced with a random element from this list. The data is split on
$ to separate each URI. If we dump cells from this spreadsheet and load them into python, we can quickly deobfuscate the code and dump any IoCs.
And the email that started it all.
Appendix – IoCs
|IoC Type||IoC Value|