Today, something interesting came across my desk. A user forwarded me an email that claimed to be an invoice and attached to it was a word document. At first, I was excited to take a look at another malicious office macro. When I opened the document, I was kind of let down. All I saw was an embedded Excel file:

 

Looking at the properties of that file, I quickly noticed that it wasn’t an excel file at all. When you double click on that file, you will notice that a VBScript file gets dropped into AppData\Local\Temp.

 

When I opened the VBScript file, this is what I saw:

I should note that I do not do malware analysis nor do I work in a full fledged security job. I just work the helpdesk. Since I have other stuff to do, I took a shortcut when analyzing this code. The part I was interested in is the “CreateObject” portion at the top. I set the first portion of that line to a variable and echoed it back:

Here is the result:

I did the same for the “run” portion of the “CreateObject” line:

And the result:

 

It appears that the attackers are disguising VBScript files as Excel files. When you double-click on the embedded file, it saves the VBScript file to %Temp% and runs. It then uses the well-known Powershell Cradle to fetch the payloads.

 

Just another interesting way attackers are combining and using Microsoft Office, VBScript and Powershell as an infection vector.

The SHA256 of the initial document is here: 9e73ab4798b8fb49645e2cbb54d6e85e396ef14feb43b5f53d555e92274e92aa

 

The SHA265 of the VBScript file is here:

b9b4d926ad3396440f775300960396429c102a0aac18da5733b47449ad4bf801

 

-Matt N. (@enigma0x3)