Malware: Dealing with malicious word documents

In order to walk through the article, I will be using the following file:

MD5: ea677003262604084a6afc3f459dfba3

Sample Filehttps://www.reverse.it/sample/9fd1e0231ece8c1e0a9f69ad2d02d917a9b269d06a586cbc2445de6d3c358185?environmentId=100

Type: Docx

The purpose of the article is to demonstrate initial actions when examining attachments or the presence of a suspected malicious file within your network.

 

Preliminary Actions

Conduct OSINT on the file using it’s MD5/Sha1 and the file name.

Upload the file to VirusTotal – in this case 36 engines of 59 have the file marked as dangerous

Conduct network and end-point sweep for the file

Update IPS to include the file as an Indicator of Compromise

 

Checking the file header

Loading this file into a hex viewer, you notice the file header begins PK which indicates the file to be in a zipped format… which a .docx commonly is.

 

Unzipping file and Extracting Script

Unzipping the file presents the following internal files.

Within the word directory is a file named vbaProject.bin.  This file has been around since around 2008 after Microsoft upgraded the Office suite.  The file commonly houses vba macros.

Can extract the script from the BIN file by using OfficeMalScanner

Alternatively, you can use OfficeParser which avoids having to unzip the .docx file and does virtually the same thing.

 

Analysing Script

Placing the script into a text editor it becomes immediately clear that there is obfuscation in use.  This is common within malware in order to make it more difficult for tools and analysts to examine files.

Dynamic Analysis

We can load the file into a Visual Basic Debugger, accessible through Microsoft Word within the development tab.

One loaded, we can add some break points in key areas.

A good place to start is the joining of variables together so that the value of them can be understood.  Adding a message box with the variable name is a good and effective way of viewing the value.

As is shown below, the variable YGIaPobpmcNAcjtgxzg has been output.  One thing that is now readable is, something is being done on the file system and a process is being run.

All the following signs are clear indicators that something nasty may be going on with this file:

  • There is a mention of APPDATA (commonly used for malware … not a good sign!)
  • There is concatenation with another variable (UypPkPL) which has an .exe extention!
  • and a loop which calls the powershell process Start-Process

 

Setting two more break points, will allow us to view the final code in a clear and obfuscated way.

It still doesn’t mean too much.  There is mention of pinging the local host, probably to act as a delay so that the user does not detect anything and assumes the file to not be harmful.  Powershell is then activated and runs something which still can’t yet be read.  Copying this into Powershell however does allow us to make more sense.

 

As can be seen here, the file calls out to three different URLs.  Further work on these addresses shows that these are links to further executable files which are designed to be downloaded on to the target system.

Hope you’ve enjoyed and you’ve learnt something.  Comment below if that’s the case!

 

Further Reading

OfficeMalScanner: http://www.reconstructer.org/code.html

OfficeParser: https://github.com/unixfreak0037/officeparser

Download malicious file sample – registration needed: https://www.reverse.it/sample/9fd1e0231ece8c1e0a9f69ad2d02d917a9b269d06a586cbc2445de6d3c358185?environmentId=100

Hex Viewer HxD – https://mh-nexus.de/en/hxd/

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *