Skip to main content

Tale of a Polished Carrier

Posted on 2020-07-27 by Josiah Smith

This blog is covering a rather interesting file that was uploaded to VT with low detection(3/61) on 7/18/2020. Considering InQuest Labs drives many of our interesting finds, this particular sample was deemed malicious and had the following heuristic behaviors.

  • Macro with Startup Hook: Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
  • Macro Execution Coercion: Detected a document that appears to social engineer the user into activating embedded logic.

Review the Heuristics, Semantic content, and embedded Logic here on InQuest Labs, but don't forget to experience pivoting to other related samples.

The first impression a potential target will see is a coercive image stating that the document includes a "Digital Signature by GlobalSign". This is a common tactic used to social engineer the unsuspecting recipient to enable the active content. Of interest, InQuest has been busy collating the various graphical assets used in these attacks. Check out the collection of Malware Lures!

The document contains content regarding the subject matter of sustainability and greenhouse gas emissions. Coupled with the embedded text found in the semantic layer section, the intent here is to instill a sense of legitimacy to the unsuspecting target.

After doing some quick research on the embedded content by Googling the first sentence from the semantic layer, it's immediately apparent where the content was lifted from:

Figure 3. Content lifted from

After the content has been enabled, the embedded macro is the first piece of logic to execute. The following screenshot in Figure 4 is from the filtered contents on the embedded logic layer from the original sample:

Figure 4. InQuest Labs highlight of initial macro logic.

Line 41 is an interesting technique that is likely an anti-emulation pattern.

CreateObject("Excel.Application").Wait (Now + TimeValue("00:00:01"))

The embedded macro contains a .DoVerb 200 pivot, something you don't see very often. There is an encrypted documented embedded within the sample "HelpDocumented.docm", the password is the value of the nLen parameter ("1008744") found at line 70.

This malicious document uses Windows built-in hh.exe (HTML Help) to extract the embedded content. The HTML Help technique was covered as far back as 2017 by @Oddvarmoe and later @xme, see their relevant write-ups here:

Additional data is retrieved from: mailsigning.pythonanywhere[.]com A shared provider where users are able to host their Python code in the cloud. At the time of discovery, no references found among the feeds and folks we aggregate into REPDB or IOCDB. The lack of indicators instills confidence that we're looking at a previously uncovered campaign.

Part of the embedded content is the licenseverification.vbs file. As previously mentioned in the Coercion Lure, GlobalSign is referenced within the banner of licenseverification.vbs, well obfuscated in both code and appearance. The script includes usage info containing an Xor encoded payload... depicted within Figures 5 and 6.

Figure 6. XOR'd Payload

The above VBS is executed via another LOLBin tactic employed to bypass application whitelisting, ieadvpack | LOLBAS, seen here:
rundll32.exe ieadvpack.dll, RegisterOCX "wscript.exe C:\ProgramData\Support\licenseverification.vbs fYBtqEucjehr84MW 6WYqk7CBgZAnxdzH pexe"

Next, we have a heavily obfuscated Powershell script that extracts data from main.png (another embedded file), which is a picture of some peppers.

Special thanks to @maciekkotowicz for his Python script to extract the Powershell that was embedded within the pixels of the peppers. The extracted script is meant to look like @geeky_ryan's Reset-WindowsUpdates.ps1 script, but only the header is consistent.

The final IOC is allmedicalpro[.]com. Which was registered on July 6th of 2020.


Note: There is a lot of interesting pivots that can be done from the Indicators All files can be downloaded from the InQuest Malware-Samples repo.

Type Indicator
7/18/2020 Maldoc 46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834
7/18/2020 Main.Png 79d4849847aac55022d7b08ca43e00312f75c8e2d479a55c27e5ae01bf027915
7/18/2020 Hostname mailsigning.pythonanywhere[.]com
7/18/2020 Hostname allmedicalpro[.]com

field-notes labs deep-file-inspection