Image

Image

Image

"Once the user provides the password to open the document, it prompts the user to 'enable editing and enable content to read content.' If a user clicks 'enable content,' macros will be enabled and will drop a malicious VBScript with a random name in %appdata%."That particular VBScript comes with high levels of obfuscation. When it is deobfuscated, it downloads the encrypted payload, which is decrypted by a XOR operation. But like most advanced malware, the payload doesn't execute immediately. Instead this campaign makes use of one of the most common evasive techniques in malware: timing-based evasion. The McAfee researchers elaborate on that point:
"Malware authors uses different techniques to delay the execution of any suspicious functionality for a certain time. Generally sandbox systems monitor execution for a limited time, and in the absence of malicious activity classify a program as legitimate. Attackers uses techniques such as onset delay, stalling code, and extended sleep calls to delay the execution in sandbox environments. This variant delays execution by running cmd.exe with the parameter 'ping 8.8.8.8 -n 250 > nul,' which pings the Google DNS server 250 times and ignores the results."
Image
