Malicious VBA

In this LetsDefend challenge, an employee had received a suspicious document in the form of an invoice email. The document was sent to me for further investigation.

Without a proper sandbox environment with a version of Visual Studio installed (.vb files cannot be executed otherwise) I resorted to examining the contents of the document in notepad within my virtual machine. Within the first few lines, I identified several variables calling to specific strings in a code language I could not identify. Using CyberChef, I copied the strings and tried decoding them with a number of different methods, until I discovered they were written in unicode and could be decoded using the "From CharCode" operation.

Putting the strings together and decoding them allowed me to discover the domain hosting a payload that the file downloaded upon detonation. The attacker used a URL shortener to mask the domain. Following the same procedure for strings that followed, I was able to decode the payload downloaded from the requested domain, called "dropped.exe."

I continued this process for all variables, until I decoded a string that appeared to be an HTTP request. I didn't know what this was at first, but a quick Google search taught me this was a method used by the attacker to establish HTTP connections with files and objects on different web servers. But what objects were they connecting to? Other decoded strings provided the user-agent information.

Based on the areas of text written in plaintext, it was clear that the attacker was creating objects to later connect to on the victim machine. Further decoding would uncover that the attacker had created an ADOBD.Stream object, which enabled the attacker to read files from other streams in non-unicode. Googling the object would help me learn about how this was accomplished.

I continued along this decoding path and discovered an object that the attacker was using to hide WMI executions, called win32_process (very similar to the native Win32_Process). This would enable the attacker to execute a number of different commands via the WMI that would likely go unnoticed.