Not very obfuscated malware code / 2016-09-29

Koos van den Hout homepage

2016-09-29 Not very obfuscated malware code8 months ago
In the incoming spam I noticed some unsollicited attachments, always a sign of danger. In this case with excel files (application/vnd.ms-excel) so I checked those with olevba, part of the oletools package.

And indeed there was macro code to be run at startup, with multiple warnings about suspicious behaviour, such as usage of "command" which can run PowerShell commands.

Having a look at the code showed very clearly that the macro was up to no good! I am used to quite interesting attempts at obfuscating macro code, so it was funny to see this bit with olevba: 
Call Shell("rund" & "ll32.exe " & firmaVENIKOVNETUUUKA & ",qwerty", vbHide)
The url where the malware is downloaded was also quite readable in the macro.
Tags: , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 2C66 3B5D F0D7 C263 local copy PGP key 2C66 3B5D F0D7 C263 via keyservers pgp key statistics for 0x2C663B5DF0D7C263 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps
This page generated in 0.009330 seconds.