McAfee Labs recently found a malicious Office 97 document with VBA macros that contains an executable (Fareit aka Pony) stored in properties of a UserForm. UserForms are used by the criminals to keep the main macro clean. The key ingredients (e.g. malicious contents like URLs, malicious scripts, keywords, etc.) are stored in UserForms to avoid detection. So it’s not enough to analyze only the streams with VBA macro code.
Fareit aka Pony is dropped into the %temp% directory. The second-stage executable will download the third-stage malware Vawtrak after it has stolen all the credentials it could find. The embedded executable was not detected by my set of YARA rules so I took a closer look at this variant.
The Word document appears to have an RSA-encrypted message embedded in its contents. The criminals want you to click “Enable Content” to view the decrypted contents of the document. This is a standard social engineering trick to get the victim to enable the malicious macro, which drops the embedded executable and executes it.
504K ( 513536 bytes )
The file being studied follows the Compound Document File format!
More specifically, it is a MS Word Document file.
80.0% (.DOC) Microsoft Word document (32000/1/3)
20.0% (.) Generic OLE2 / Multistream Compound File (8000/1)
VirusTotal: 38/57 Report
Metadefender: 3/43 Report
Download: account.doc.zip (password is infected)
McAfee Labs – W97M Downloader Serves Vawtrak Malware
https://github.com/evild3ad – contains_ascii_hex_encoded_pe_file.yara
pe-carv.py – ASCII Hex and Overlays
VirusTotal – Carved Executable (Fareit aka Pony)