Static Analysis: Locky Osiris

This post is a continuation of the previous blog post about recent Locky variant.

Now let’s use OfficeMalScanner to confirm the existence of bin files.

officemalscannerinflate

As we can see, there is indeed a vbaProject.bin (VBA macro) file in the xls archive. Usually macros are used for automation of tasks in MS Excel, but malware authors use them for the purpose of downloading/dropping malicious payloads.

OfficeMalScanner extracts the archive to the user’s temporary directory in a folder named DecompressedMsOfficeDocument. On doing a string (strings2) search in bin file at the said location we find that it has some URLs that the code might have tried to hit. If one can get their hands on the network logs for that machine this could be reconfirmed. The URLs that were accessed by this macro were: sparky.com/87t34f, ktelektro.cz/87t34f and analypia.com/8734f. However, in this case these URLs were actually hit, string search may not always tell us the real usability of ASCII strings in the code. Sometimes malware authors just leave strings and comments in the code to confuse analysts.

strings2

We can extract the macros’ source code from the excel file using oledump.

oledumpThe output of oledump confirms the existence of two macros as shown in the above snapshot.

We will extract the streams A3 and A5 for further understanding of the macro code.

oledump_stream_dump

In the next post we will understand the behavior of the macros and the roles they play in the execution of Locky ransomware.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s