Tale of a Polished Carrier

Posted on 2020-07-27 by Josiah Smith

This blog is covering a rather interesting file that was uploaded to VT with low detection(3/61) on 7/18/2020. Considering InQuest Labs drives many of our interesting finds, this particular sample was deemed malicious and had the following heuristic behaviors.

  • Macro with Startup Hook: Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
  • Macro Execution Coercion: Detected a document that appears to social engineer the user into activating embedded logic.
    Review the Heuristics, Semantic content, and embedded Logic here on InQuest Labs, but don't forget to experience pivoting to other related samples. The first impression a potential target will see is a coercive image stating that the document includes a "Digital Signature by GlobalSign". This is a common tactic used to social engineer the unsuspecting recipient to enable the active content. Of interest, InQuest has been busy collating the various graphical assets used in these attacks. Check out the collection of Malware Lures!

    The document contains content regarding the subject matter of sustainability and greenhouse gas emissions. Coupled with the embedded text found in the semantic layer section, the intent here is to instill a sense of legitimacy to the unsuspecting target.

    After doing some quick research on the embedded content by Googling the first sentence from the semantic layer, it's immediately apparent where the content was lifted from:
Figure 3. Content lifted from bpaww.com

After the content has been enabled, the embedded macro is the first piece of logic to execute. The following screenshot in Figure 4 is from the filtered contents on the embedded logic layer from the original sample:

Figure 4. InQuest Labs highlight of initial macro logic.

Line 41 is an interesting technique that is likely an anti-emulation pattern. CreateObject("Excel.Application").Wait (Now + TimeValue("00:00:01"))
The embedded macro contains a .DoVerb 200 pivot, something you don't see very often. There is an encrypted documented embedded within the sample "HelpDocumented.docm", the password is the value of the nLen parameter ("1008744") found at line 70.
This malicious document uses Windows built-in hh.exe (HTML Help) to extract the embedded content. The HTML Help technique was covered as far back as 2017 by @Oddvarmoe and later @xme, see their relevant write-ups here:

field-notes labs deep-file-inspection