skip to Main Content
Featured Image

Trojan Dropper: O97M/Vawtrak (Stage 1)

McAfee Labs recently found a malicious Office 97 document with VBA macros that contains an executable (Fareit aka Pony) stored in properties of a UserForm. UserForms are used by the criminals to keep the main macro clean. The key ingredients (e.g. malicious contents like URLs, malicious scripts, keywords, etc.) are stored in UserForms to avoid detection. So it’s not enough to analyze only the streams with VBA macro code.

Fareit aka Pony is dropped into the %temp% directory. The second-stage executable will download the third-stage malware Vawtrak after it has stolen all the credentials it could find. The embedded executable was not detected by my set of YARA rules so I took a closer look at this variant.

MD Word documentFig. 1: Contents of malicious W97M document

The Word document appears to have an RSA-encrypted message embedded in its contents. The criminals want you to click “Enable Content” to view the decrypted contents of the document. This is a standard social engineering trick to get the victim to enable the malicious macro, which drops the embedded executable and executes it.

SHA256:
SHA1:
MD5:
File size:
File name:
Magic:

File Type:
MIME Type:
TrID:

b57d4554cc35824d9c0f1476d9afdafd1a1f5adc0b247ee3ea2c943d56ed1da6
54e0d47d48d42e736117c0a309a95792438572d9
e56a57acf528b8cd340ae039519d5150
504K ( 513536 bytes )
account.doc
The file being studied follows the Compound Document File format!
More specifically, it is a MS Word Document file.
DOC
application/msword
80.0% (.DOC) Microsoft Word document (32000/1/3)
20.0% (.) Generic OLE2 / Multistream Compound File (8000/1)

VirusTotal: 38/57 Report

Metadefender: 3/43 Report

Download: account.doc.zip (password is infected)


oledump
Fig. 2: The name of stream 8 ends with /o, that indicates that the stream contains an UserForm

ASCII Hex encoded executableFig. 3: Stream 8 contains an embedded ASCII Hex encoded executable

UserFormFig. 4: ASCII Hex encoded PE file inside VBA Form

YARA ruleFig. 5: Detect ASCII Hex encoded PE file inside VBA Form

pe-car.pyFig. 6: Extract the ASCII Hex encoded PE file w/ pe-carv.py

010 Editor v7Fig. 7: Carved Executable (opened w/ 010 Editor v7)

Document-Inspector1Fig. 8: Fingerprinting

Document Inspector 2Fig. 9: Analyzing w/ Document-Inspector

Document-Inspector 3Fig. 10: Detecting, extracting and analyzing of embedded ASCII Hex encoded PE file

Document Inspector 4Fig. 11: Checking public sandboxes & Network Analysis

Links:
McAfee Labs – W97M Downloader Serves Vawtrak Malware
https://github.com/evild3ad – contains_ascii_hex_encoded_pe_file.yara
pe-carv.py – ASCII Hex and Overlays
VirusTotal – Carved Executable (Fareit aka Pony)

Back To Top