- Since 2014, it's a Malware as a service banking trojan
- Targets numerous industries: finance, govt, energy, shipping, utilities, etc
- Distributes malware such as Trickbot and Zeus Panda
- Its a dropper, credential stealer (from web browsers and email clients). Leverages legitimate software
- Obfuscation techniques via polymorphic packers and encrypted imports
- Leverages document as a delivery mechanism
- utilizes process injection: explorer.exe
- establishes persistence
- Comm via C2
- = Portable document format
- Can contain action scripts (embedded flash)
- File structure
- Header - contains version info
- 1 or more objects that render the document (text, fonts, js)
- Use indirect object to refer or point to other objects that may have a unique id
- 1st is object number, then generation number
AA(Automatic Action) is leveraged by malware- Objects use streams to store data AND js
- xref table
- trailer
-
=Macros, written in VBA, are legitimate so not always blocked
-
They run automatically, like AA in PDFs
-
Look for VBA=
executeand JS=eval
Has two formats
- OLE2 - similar to file system with storages (folders) and streams (files)
- something else
- oletools includes oleid, oleobj, rtfobj, …
- oledump
- vmonkey (Vipermonkey) - powerful framework
-
=Rich Text Formats are supported by MS and Non-MS applications
-
Doesn't support macros
-
When ms word opens a RTF doc it will extract the embedded object to the users temp directory
-
\objdatacontrol word will point to an embedded object
-
Rtfdump
-
rtfobj
- In PDFs: Automated Actions
- In Office Documents: VBA=
executeand JS=eval - In RTF:
\objdata
- oleid – look for marcos=True
- exiftool or olemeta
- vmonkey
- oledump.py by Didier Stevens to check interesting strings (will confirm what's seen in vmonkey)
- .rsrc is parts of PE header leads to believe embedded executable is inside this document.
- Finding mutex's is a sign (**not guarantee) of malicious intent
- oledump.py file | pecheck.py
4D5A(MZ) is magic bytes of PE file
- Now use oledump to carve
- oledump.py maldoc.doc -s 14 -C 0x00063:0x16862 -d > output.exe
$pescan.py output.exe$malwoverview -f output.exe -v 1 -p 1will check virus vendors
- mraptor my.doc -m -r – will tell you if macros exist and if they are suspicious
- olemeta or exiftools
- olevba my.doc –decode -deobf
- vmonkey my.doc
- sc_distorm SC.bin
- scdbg -f shellcode.bin – will step through shellcode
- pdfinfo invoice.pdf – check version and then google common exploits for that version
- pdf-parser.py invoice.pdf -o 7 | base64dump.py -s 2 -t utf8 -a # parse the deobfuscated base64
- ppdf invoice.pdf -i -c – includes spidermonkey to analyze js. Will also say whether or not file is found in virustotal
- decode file raw_7.txt b64
- decode file raw_7.js b64
- quit
- We've parsed out the malicious code, now figure it out.
-
pdf-parser.py payroll.pdf -a # see references to js and openaction
-
pdf-parser.py payroll.pdf -o 5 # see object 5
-
pdf-parser.py payroll.pdf -o 5 -c -w # see object 5 and output prettyprinted
-
sc_distorm o 9.sc
-
scdbg -f shellcode.bin -fopen payrtoll.pdf -u -i # emulation
-
peframe shellcode.drop
-
peid - checks which packer we're using
-
pe check shellcode.drop
- rtfobj some.doc
- rtfscan some.doc scan
- rtfdump some.doc #we see the objdata reference
- rtfdump.py some.doc -s 5 # check object 5
- rtfdump.py some.doc -s 29 -H -c 0x97B:0xA22 -d > b64.txt
- python loffice.py word none some.doc #lazy office attaches to windows debugger
-
This guy (Didierstevens - decalage2) with his suite https://github.com/DidierStevens/DidierStevensSuite
-
lazy office analyzer in combination with fakenet-ng then save the vmem and use vol.py netscan and then filescan | grep -i .vbs