2016-09-29
Not very obfuscated malware code
In the incoming spam I noticed some unsollicited attachments, always a sign of danger. In this case with excel files (application/vnd.ms-excel) so I checked those with olevba, part of the oletools package. And indeed there was macro code to be run at startup, with multiple warnings about suspicious behaviour, such as usage of "command" which can run PowerShell commands. Having a look at the code showed very clearly that the macro was up to no good! I am used to quite interesting attempts at obfuscating macro code, so it was funny to see this bit with olevba:Call Shell("rund" & "ll32.exe " & firmaVENIKOVNETUUUKA & ",qwerty", vbHide)The url where the malware is downloaded was also quite readable in the macro.