Connecting the Dots

While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked my interest was every cell’s value was either empty or contained a float of range 0.0 to 2800.0. Let’t find a sample in our data and get it done!

Figure 1 – Analysis of VBA Macros

We can see from olevba and oledump that the spreadsheet contains VBA macro code and has a function triggered by an ActiveX event. Let’s see what hellioso does.

Figure 2 – hellioso VBA function

Much of the VBA code overlaps my previous analysis: loop over all cells containing constants (xlCellTypeConstants), perform some deobfuscation, split the resulting data on various special characters. What we are interested in is the deobfuscation technique, and this one is rather innovative.

Basically, a list is initialized and then the float value in each cell determines the offset into the list to modify and the row of the cell, mapped to an ASCII character, determines the modified value. The second half of the deobfuscated data (okd) must be the XLM macro as each command is inserted into the spreadsheet and executed. The data is split on ] to separate each command. And the first half of the deobfuscated data (nnk(0)) is probably a list of URIs, as any ? in the XLM macro is replaced with a random element from this list. The data is split on $ to separate each URI. If we dump cells from this spreadsheet and load them into python, we can quickly deobfuscate the code and dump any IoCs.

Figure 3 – Loading and Deobfuscating the Data

And the email that started it all.

Figure 5 – Original Email

Appendix – IoCs

IoC TypeIoC Value
SHA25654e3aef18c1aae45d5cd17c6a64dbf51276bf73324981d786eb2b7380fcfe38d
URIhttps://flintjames.com/z4kcj0.rar
URIhttps://pehchaanlivefoundation.org/cr60bgj.rar
URIhttps://preciousmemorabilia.com/io4k9ij2t.zip
URIhttps://blog.cebecitekstil.com/o5sk07ky4.zip
URIhttps://mitwpunwp.mitevents.org/l30ct8ies.rar
URIhttp://gracetab.co.za/wx4q1h9.zip
URIhttps://kmatechnicalinno.innodaba.com/m9q2e6kv.zip
URIhttps://laidbackexcursions.com/avrk1hqbe.rar
URIhttps://skinfolabs.com/xmnps2t.zip
URIhttps://carewatchsecuritybdi.com/pmjzgm.rar
URIhttps://grillomarketing.com/fw0zzy04t.rar
URIhttp://puredropwater.in/p5ojlhc.zip
URIhttps://shell-core.com/j2aqm0xkt.rar
URIhttps://iesatnchapter.com/uc7pa04ml.zip
URIhttps://ganamcaters.in/hirdfexlz.rar
URIhttps://whatsyourmedicine.org/kqcsc3w.rar
URIhttp://metropolis-roleplay.com/y0hzdr7el.rar
URIhttps://eyecambodia.com/ric1w9.zip
URIhttps://printpix.lk/uoac75w.zip
URIhttps://mikkelraunsgaard.dk/bdmrv6xm.zip
URIhttps://irocomps.co.za/tws7my.zip
URIhttps://tstfrigo.com/mepajwac.zip
URIhttp://cubectivel.com/aahdwlq.rar
URIhttps://fish-gear.com/pi2s5lh9.rar
URIhttps://intfoodservices.com/fsdyhx.rar
URIhttp://mycrc.org/x1br2i.zip
URIhttps://umang.nciinfotech.in/pdddvw.rar
URIhttp://logowholesaler.com/myopprb.zip
URIhttps://radiocanibal.com/ck0epp.zip
URIhttps://habitatmendoza.com/zyfl41mp5.zip
URIhttp://anchalhospital.com/u7921a.zip
URIhttps://hazelautocars.co.za/clbdtxp3s.rar
URIhttps://teste.omercadonovo.com/ocyrqzk.zip
URIhttps://itsquare.yrcreations.com/gezqtai.zip
URIhttps://flyhightraveller.com/ej8vzds6y.rar
URIhttps://imeraipur.com/zffejnu8.rar
URIhttps://gla-edu.com/azmfrr.zip
URIhttps://amazontutoringcenter.com/rnzchoz.rar
URIhttp://megatasktechnologies.com/omqoqq.zip
URIhttp://kidsreliefbags.com/ubo74b.rar
URIhttps://africaelectronics.co.za/ystil7kr8.zip
URIhttp://sierrainfraworks.com/wcz59y4s.zip
URIhttps://salondefilipina.com/xem36o26.rar
URIhttps://zhaoshenggroup.com/e84g7rsv3.rar
URIhttps://corporatebusinessmachines.co.in/ei165ns.rar
URIhttps://leads-that-close.com/uxtvys.rar

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.