This post is a continuation of the previous blog post about recent Locky variant.
Now let’s use OfficeMalScanner to confirm the existence of bin files.
As we can see, there is indeed a vbaProject.bin (VBA macro) file in the xls archive. Usually macros are used for automation of tasks in MS Excel, but malware authors use them for the purpose of downloading/dropping malicious payloads.
OfficeMalScanner extracts the archive to the user’s temporary directory in a folder named DecompressedMsOfficeDocument. On doing a string (strings2) search in bin file at the said location we find that it has some URLs that the code might have tried to hit. If one can get their hands on the network logs for that machine this could be reconfirmed. The URLs that were accessed by this macro were: sparky.com/87t34f, ktelektro.cz/87t34f and analypia.com/8734f. However, in this case these URLs were actually hit, string search may not always tell us the real usability of ASCII strings in the code. Sometimes malware authors just leave strings and comments in the code to confuse analysts.
We can extract the macros’ source code from the excel file using oledump.
The output of oledump confirms the existence of two macros as shown in the above snapshot.
We will extract the streams A3 and A5 for further understanding of the macro code.
In the next post we will understand the behavior of the macros and the roles they play in the execution of Locky ransomware.