Not-Really-Password-Protected Evasion Technique Resurfaces

Today we came across an e-mail with an Excel Workbook attachment, which upon first inspection appears to be password-protected. The presence of the EncryptedPackage stream in an OLE2 document indicates that it is protected by a password, which obviously would require the user to enter one in order to open the document properly. Or at least that’s what the bad guys would like email or AV scanners to think. 

Viewer

Figure 1

Looking at the e-mail, which is couched as a very generic price quote request, the sender did not provide any password for the attachment, so what gives?

Figure 2

Sounds like something we’ve already seen a few years back, six years to be exact. Do you remember VelvetSweatshop and the infamous CVE-2012-0158 exploit which took advantage of the Microsoft Excel default password hidden feature to evade detection? Well, this malware campaign will surely bring you back to those old days.

First let’s try to open the document to see if Microsoft Office will be able to load it properly.

Figure 3

Figure 4

And sure thing, Microsoft Office Excel was able to open the document with no problems at all—and no request to enter a password. So let’s take a look at what’s happening in the background.

Exploits Office Vulnerability CVE-2017-11882

The first thing you’ll notice is the presence of EQNEDT32.EXE being loaded by svchost.exe. This behavior indicates a possible exploitation of CVE-2017-11882(Microsoft Office Memory Corruption Vulnerability).

Figure 5

Digging a little deeper, we debugged the exploit shellcode to see what this document really does in the background. Sure enough, this sample does indeed exploit CVE-2017-11882 and attempts to download and execute an executable payload (supposedly saved as %PUBLIC%vbc.exe in the affected computer’s system), as shown in the screenshots below.

Figure 6

Figure 7

VelvetSweatshop Default Password Ploy Still Being Used

We also decrypted the email attachment and confirmed that this document is taking advantage of the old Microsoft Office hidden “feature” that uses a default password to load encrypted documents, as shown in the lines of code in the screenshot below.

Figure 8

Unfortunately, the download link from this exploit sample was inaccessible as of this writing, so we are not able to provide an analysis of its payload.

Indicators of Compromise and Cyren Detection

SHA256 Object Type Remarks Cyren Detection
04ee59add6c2df247f97a17eab8594a2a28b7e17e7ce3e9cc5c334ae0ac265de EML Subject: Prices required – CVE1711882
fe5568568d4930866d29699b46e11711c462bfcefd05589e98c6b5250da074ff EML Subject: Prices required – CVE1711882
73675e415abe136fa06070d5781d5d0d84c415111b0c65d43910e44146124642 XLS Password-protected: VelvetSweatsho[ CVE1711882
http://84.38.130.139/pk/office/win32.exe URL

Saved to: %PUBLIC%vbc.exe

Payload: Inaccessible as of this writing

Prevention and Mitigation

We remind readers that Microsoft issued a patch for the CVE-2017-11882 exploit in 2017. Outdated software, operating systems, browsers, and plugins are major vectors for malware infections.