病毒樣本分析 >> XLS 4.0
3fb082368a8062316976fdfeeceae130d98a3247
參考資訊:
1. oletools
2. Excel.4.0.Macro.Functions.Reference
XLS
$ trid 088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9 Collecting data from file: 088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9 80.2% (.XLS) Microsoft Excel sheet (32500/1/3) 19.7% (.) Generic OLE2 / Multistream Compound File (8000/1)
Excel 4.0 Macros
$ strings 088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9 | grep -i excel Microsoft Excel Excel 4.0 Macros Microsoft Excel 2003 Worksheet Excel.Sheet.8 Microsoft Excel
Auto_Open
$ python ./olevba.py ../../088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9 olevba 0.56.1.dev2 on Python 2.7.16 - http://decalage.info/python/oletools =============================================================================== FILE: ../../088c3c81e03e959c0c596979135fa972f167e6fea542cf023871775a3dbd0ed9 Type: OLE ------------------------------------------------------------------------------- VBA MACRO xlm_macro.txt in file: xlm_macro - OLE stream: 'xlm_macro' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet1 ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet2 ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet1!GA15138 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels
P.S. 這個EntryPoint判斷錯誤
關閉Macro,開啟檔案(1.xls)
Formulas > Name Manager
P.S. 沒有EntryPoint
搜尋
Snapshot後,全部取代成Alert,這樣可以試探出EntryPoint位置
開啟Macro
EntryPoint: Sheet2!FA15138
Revert後,修改Sheet2!FA15138
按下Halt
改回原本,接著按下滑鼠右鍵
Step Into
開始使用Evaluate單步執行
APP.MAXIMIZE: Maximizes the Microsoft Excel application window
7: If window is hidden, returns TRUE; otherwise, returns FALSE.
20: If window is maximized, returns TRUE; otherwise, returns FALSE.
23: Number indicating the size of the window, (including charts): 1 = Restored, 2 = Minimized (displayed as an icon), 3 = Maximized
31: If a currently running macro is in single step mode, returns TRUE; otherwise, returns FALSE.
13: Usable workspace width, in points.
14: Usable workspace height, in points.
19: If a mouse is present, returns TRUE; otherwise, returns FALSE. In Microsoft Excel for the Macintosh, always returns TRUE.
42: If your computer is capable of playing sounds, returns TRUE; otherwise, returns FALSE.
1: Name of the environment in which Microsoft Excel is running, as text, followed by the environment's version number.
Export Registry
Registry Path
2: The version number of Microsoft Excel, as text (for example, "5.0").
導出Registry做判斷
下載Payload並且執行
