Malicious File Document Analysis
Hello firends, I couldn’t write any blog entry last mounth because I was busy with my new book which will be published in 2020 January. I have written A Web Pentest Hand Book in Turkish Published and it will come soon. In this blogpost I examine some malicious office and PDF documents and I will give you some information about their analysis process and detection of malicious activities Adversaries use different TTP’s and their tactics changes day after day. Even their IOC’s and techniques changes day after day, we can still detect their malicious activities by impelementing thereat hunting and Incident response steps. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Lets examine some malicious Office documents and see the techniques of adversaries malicious documents preparing methods. In this step olevba and other tools which exists in Remnux in default mode, are used. In this research, I set up a lab environment for simulating the real malwares behaivors which before analysed by me and simulating their attack TTP’s for developing analysis methods. In the first malicious office document, it is analyzed with olevba tool for examining malicious macros which resides in macros part. Output is given the below;
As you can see from output, In Sub Auto_open function is used for automoticilally execute the macro code and macro codes call a shell for triggerring cmd.exe for starting a connection to a share for downloading malicious mispelling wins0ck32.dll file. IOC list is given the screenshoot and it gives some IOC’s such as IP address, executable files like cmd.exe and malicious dll trigger, rundll32.exe. This example shows us standart malicious macro execution method. The second sample is analyzed with olevba like shown below;
The second malicious file sample includes powershell code as base64 ecoded. It’s suspicious and Hidden Window is used for hiding execution window, macro calls win32_process in document’s macro. In the next step base64 encoded macros are tried to decoded.
For this reason first of all macros extracted and quatos deleted with sed and cut commands like this;
After that we can decode the powershell code as shown below;
As you see from output, pwershell reverse shell code is detected in the macro code. The next malware sample is wierd. When we scan the file with AV’s detection rate is given below;
In this sample attacker was used CSV injection that means formula injection method in an excel document. The first step we tried to extract macro or malicious code by using olevba but we have nothing;
And we decided to us strings tool for analysing the document stings in order to find some malicious code in document;
Conclusion is same, we have nothing. We need to dynamic malware analysis techniques but before junp this process whan we opened the malicious file in a lab environment and send it to the sandbox. When we opened the document we noticed file formula field. It’s like given below;
This is formula injection method. Attacker triggers the malicious code from this field, cool!, As an analyst I researched the other ways are smilar to this technique and I learnt that HYPRLINKS too can be used for this purpose. For example an attacker can create a HYPERLINK and embed an exploit kit link inside HYPERLINK and add below a fake link which can be known site or table link in document for executing malicious code in victem machine.
=HYPERLINK(“exploit kit link”,”Fake Link Like known sites”)
The next example is an PDF file. When analyzing PDF files javascript codes are vital for analysts. For analysing process pdf-parser tool is used in remnux;
As you see malicious codes hides in PDF for executing cmd.exe and command execution in victem machine. Our last example is litle complicated. First we use olevba for inspecting macro codes in the document;
Interestingly I see two function in macro code one of them is base64 enoder function and other base64 decoded function.
That means, adversary can use base64 encodeing for hiding something or bypass AV or compress something. When we keep on investigating the code blocks I came up a new macro code block. This is the key point for our analysis, look carefully the output is given below;
Macro code uses Author part of the document and it creates a file is named test.xml under Libraries directory then using base64 decode codes ( which pre-exsist it was put by the attacker in macro ) into stager.xml and it probably execute powershell code which in msbuild.exe with msbuild beacuse attacker doesn’t want to apperance of powershell.exe in process monitor for evading security systems and analysts. Lets chart attacker activities;
In the next step Exiftool is used for analysts to detect malicious code in Author part of the document;
We tried to decode base64 code for static analysis; We can obtain the code but the code includes compressed and encoded another code;
We use an online platform for decompressing the powershell code and we can reach the malicious powershell code;
Now attacker C2C IP addresses can be seen. We have IOC’s like directory, file names, file hashes, IP addresses and we have learnt the adversaries TTP. Next blog post I will write about event ID’s and their sequemces for detecting same attack types. I will use sysmon and ELK for mapping and detecting documents attacks. Tahnx for reading my post. See you friends…
