Jump to content
Kev

Trickbot: ActiveDocument.Words is the word!

Recommended Posts

trickbot_02.png?w=526&h=300&crop=1

 

 

This Trickbot document hid a .dll in an interesting place. If you’d like to play along, you can find the document and dropped .dll here:

Documenthttps://app.any.run/tasks/96c149ce-b01a-4543-a8d4-2b98bb18b9c7
Document Password: INV15
SHA256: 052C9196DFE764F1FBD3850D706D10601235DC266D1151C93D34454A12206C28

 

Dropped File: C:\programdata\objStreamUTF8NoBOM.Vbe
Dropped File: C:\UTF8NoBOM\APSLVDFB.dll
Dropped .dllhttps://app.any.run/tasks/5bc86667-aab3-4513-a433-3697d6a9d3eb

 

trickbot_02.png

 

After supplying the provided password to open the document, I suggest that you remove it, save the document, and then use tools like oledump.py to extract the macro. Notice how it keeps making references to ActiveDocument.Range(Start and End) and ActiveDocument.Words.

 

trickbot_03.png

 

The macro is pulling data from the current document, piecing them together, and then writing it out to this file and location:
 

C:\programdata\objStreamUTF8NoBOM.Vbe



Once that is done, the macro creates a Wscript.exe object and executes that .vbe file.

 

trickbot_04.png

 

But where did it get all of that data? Where was it hiding in the document? Well, it wasn’t really ‘hiding’ in the typical places we see obfuscated commands (I’m looking at you, Emotet). In this case, it was hiding behind the the picture we see in the document itself. We can see the text below by deleting that picture and zooming in 400%.

 

trickbot_01.png

 

You can fit an entire .dll on one page of a word document if you use 1 point font. Who knew?

 

The macro in the document takes the above characters, rearranges them, and writes them to objStreamUTF8NoBOM.Vbe. Here’s that .vbe file.

 

trickbot_05.png

 

Near the bottom of objStreamUTF8NoBOM.Vbe, we can see the base64 decoding function. It gets copied to the following location:
 

C:\UTF8NoBOM\APSLVDFB.dll


The last two lines create a wscript.shell object and use regsvr32 to run the .dll.

 

trickbot_06.png

 

And there you go! Thanks for reading!

 

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...