BlackEnergy .XLS Dropper

Published: 2016-01-11
Last Updated: 2016-01-12 20:42:32 UTC
by Didier Stevens (Version: 1)
5 comment(s)

The malware used in the recent Ukranian cyber attack was (allegedly) delivered via a malicious spreadsheet. I analyzed this maldoc (97b7577d13cf5e3bf39cbe6d3f0a7732) and it's very simple: the macro runs automatically, writes an exe to disk (embedded as an array of bytes) and executes it. There's no obfuscation of the VBA code or encoding of the PE file.

If you want to practice the analysis of such documents, I have something for you: I produced a spreadsheet that uses exactly the same method to embed a PE file, but it has no code to write to disk neither to run the payload. And the VBA code doesn't run automatically. And in stead of a PE file, I embedded a JPEG file. So this example is very safe. You can download the example here.

In case you have no idea how to get started, I have a video for you where I show my analysis method.

You can find the tools I used on my blog.

But there are many ways to analyze this example. Please post your method in a comment. And also, let me know what you think of the picture.

Update: according to a Twitter exchange, the .XLS maldoc is from an incident involving a power company (August), and the more recent incident is with another maldoc. Tweets here, here, here, here.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
IT Security consultant at Contraste Europe.

Keywords: blackenergy maldoc
5 comment(s)
ISC StormCast for Monday, January 11th 2016
Diary Archives