Extracting Concealed URLs In Payloaded MS-Word Objects
Ms-Word objects are one of the preferred vehicles for internet scammers to carry payloads that lead to either downloading of malicious executable objects or subversion of existing objects in Windows systems. Concealing the true nature of the payload is a priority for this to work. I have been observing how this is done and wanted to show more details about the process so I pick one of the files I recently received to demonstrate this. Preliminary inspection of the file shows all the hallmarks of malicious activity:
The embedded VBA scripts create local objects...
and build a URL using the predefined FPATH VBA function...
The operation uses a string of integers to conceal the letters that make up the URL. The string of integers correlate to the decimal values from the ASCII table:
a quick conversion of the values show the corresponding characters matching indeed a URL, in this case H**P://im-journal.com/kjg7665rf. DNS lookup shows the IP being owned by the SFR from France but being located in the US.
Testing the concealed URL leads to a direct download of an EXE file:
and which TrendMicro classifies as a LOCKY trojan..










