Goal

In this entry we will have a look at the Bendis maldoc. Bendis is a fairly unknown and simple maldoc that has a dropper functionality. It's only purpose is being a gateway for more mature malware.

Word document

We are confronted yet again with a Word document which includes macros.

File hashes:

MD5: 3e77ad5e07c65aeeb7a3b2e268eb102b  
SHA1: 73f35866e29959a2397303fb3ec0c0b7e74226f3  
SHA256: fdda128f909cbfb549a6a342cfb71e09dfbc695d799dbfd80d95b42e82fc1e9c  
ssdeep1536:OXxUzn9/biXPK2NSy7DL3WBWZn+9cHYRJ5SEbbXr7eLTFxXw:USYSy49rRLbbO7  

If we try to open the VBA debugger we will see heavily obfuscated code, even strings are obfuscated. A quick look reveals that there is a module called XoGrrJy that has many calls to CallByName so we can guess that function names are being dynamically deobfuscated and called by name.

We can set breakpoints on these functions as these have to be the ones to do WinAPI calls.

It first checks for recent documents:

RecentFiles = MicrosoftWord.RecentFiles()  
RecentFiles.Count()  
// probably check if count > x as a sandbox detection mechanism

This is clearly an anti-debugging mechanism, as Word applications installed in malware-analysis VMs are not used for real work and thus have a low recent file count.

If the check is successful we continue execution and this is when things begin to get interesting. Next is a WinHTTPRequest.Open() call.

As you can see it is checking maxmind's API to get IP geolocation data. But wait a minute, there is no API token submitted (as it is a GET request and it should be appended in the URL). How do they get around maxmind's API authentication?

First they add a valid User-Agent to the request, and then they set the referer to another maxmind URL:

WinHTtpRequest.SetRequestHeader("User-Agent", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)")  
WinHTtpRequest.SetRequestHeader("Referer", "https://www.maxmind.com/en/locate-my-ip-address")  

That way request appears to be coming from the maxmind's "geolocate me" demo page and authentication is bypassed.

This is another anti trick. Bendis has a blacklist built in for countries and autonomous system, so if you are on the blacklist Bendis won't contact the payload delivery URL.

Next, another HTTP GET request is sent, this time to an sketchy server.

The server responds with a PE file.

The VBA script writes the PE file to disk and then executes it. Everyhting is done with standard WinAPI calls.

Obfuscation

Bendis uses a pretty dumb string obfuscation mechanism. Bendis is shipped with a character blacklist, and strings are interpolated with several characters from said blacklist. When Bendis is going to use a string it first deletes all blacklisted characters from it.

As for an example:

  • String: aaSjhK^e()llzz
  • Blacklist: ajK^()z

Results in the string Shell.

Payload

The payload is completely unrelated to Bendis, so it won't make it to this post, but I'll leave hashes here:

File hashes:

CRC32: 54A600FB  
MD5: D7BC215662DCC0E740C01CC5AE55A78C  
SHA-1: 465ACDA6A2E6629F7008A16616EDE99CFEB708FD