Co-authored by Ghanashyam Satpathy and Gustavo Palazolo Eiras
Summary
Malicious Microsoft Office documents are a popular vehicle for malware distribution. Many malware families such as Emotet, IcedID, and Dridex abuse Office documents as their primary distribution mechanism. Attackers have long used phishing emails with malicious Microsoft Office documents, often hosted in popular cloud apps like Box and Amazon S3 to increase the chances of a successful lure. The techniques being used with Office documents are continuing to evolve.
In October 2020, we analyzed samples that used advanced techniques including:
- Constructing a PowerShell script and WMI namespaces at runtime.
- Using VBA logic obfuscation to evade static and signature-based detections.
In January 2021, we examined samples that used obfuscated, embedded XSL scripts to download payloads.
In May 2021, we examined APT samples that abused LoLBins to decode and inject the payload.
In this blog post, we will examine a malicious Office document detected by Netskope, known as BazarLoader, which uses the “Microsoft Office XML Flat” file format and Living-off-the-Land techniques to carry out and execute an HTA-based payload.
Analysis
In this blog post, we will examine a malicious Microsoft Word document, containing the following techniques:
- Malicious VBA macros
- Malicious HTA file dropped in disk by the macros
- Usage of “mshta.exe” to execute the HTA file
- Usage of “regsvr32.exe” to execute the final DLL payload
Both “mshta.exe” and “regsvr32.exe” are legitimate files from Windows, used by this sample to connect to the C&C servers and to download and execute the next stage payloads. This technique is known as Living-off-the-Land (LoL), which consists of using legitimate binaries to perform malicious activities.
Embedded Payload
The sample is a “Microsoft Office XML Flat File Format Word Document”, as seen below in the text editor. The contents include the encoded binary data for VBA, a PNG file, and the content for the HTA.
After opening the document in Microsoft Word, the document asks the victim to click the “Enable Editing” and “Enable Content” buttons. The HTA data is stored in the same page, however, the attacker changed the font size and color to make it invisible.
After changing the font size and color, the obfuscated text can be seen.
The macro code has an auto-trigger routine to execute as soon as “Enable Content” is clicked. Once the main function is called, the code is deobfuscated and executed through an additional three VBA functions inside the document, as we can see below.
The macro code does custom deobfuscation of the text by removing “5fif2” with the following line of VBA code.
Replace(ActiveDocument.Range.Text, "5fif2", "")
Further, it saves the HTA content into the “C:\programdata\sds.hta” file and executes it using the “MSHTML.exe” binary from Windows.