Blog

Malicious VBA Office Document Without Source Code, (Tue, Apr 23rd)

A couple of years ago, we posted diary entry “VBA and P-code“: we featured a VBA P-code disassembler developed by Dr. Bontchev. VBA source code is compiled into P-code, which is stored alongside the compressed source code into the ole file with VBA macros.

Dr. Bontchev also published a PoC Word document with VBA code: it contained just the P-code, and no VBA source code. Hence to analyze the document, you could not extract the source code, but you had to disassemble the P-code with pcodedmp.py.

Yesterday, I was pointed towards a malicious Word document found in-the-wild that was hard to analyze. It turned out the VBA source code had been wiped (recently, this method has also been referred to as VBA stomping).

Here’s how I analyzed this document. First, I get this output with oledump.py:

With this output and the context I was given, I can already conclude that this is a malicious document: the recipient received an unexpected .docm file from an unknown sender -> maldoc.

Remark also that stream A3 has no M indicator, while its name (Module1) indicates it should contain VBA code. That’s why I use option -i to get more info:

For every stream with VBA code, option -i will display 2 numbers: the size of the compiled code (P-code) and the size of the compressed VBA source code.

For stream A3, I see that the compressed VBA code is 1280 bytes in size. So why is there no M indicator?

Decompressing the VBA code throws an error:

I take a look at the raw, compressed VBA code (using suffix s for source code):

It has been wiped: the compressed VBA code has been overwritten with 0x00 bytes!

If you were still unsure if this document was malicious or not: now you can cast aside any doubt. Microsoft Office applications do not produce documents like this. This document has been tampered with to try to bypass AV detection.

And if your job is to determine if a document like this is malicious or not, you can report your findings now: this is a maldoc.

But if you need to figure out what this maldoc does, there’s a bit more to analyze.

Using suffix c (compiled), I select all bytes that make up the P-code:

Notices strings Winmgts and Win32_Process (reversed): it looks like this maldoc creates a new process via WMI.

Now I’m using pcodedmp.py to look at the disassembly:

Here is the disassembled P-code. P-code is executed by a stack machine: first arguments are put on the stack, and then functions are called that pop arguments from the stack and push results to the stack.

Here I see a string constant (consisting of digits) assigned to variable E_MO, and then passed as argument to function B_RA, who’s output is used as argument to CreateObject. The result is assigned to variable F_DC. Thus the string is an obfuscated object name, and function B_RA does the deobfuscation.

In the following screenshot, I see a variable (SP_LL) of the Word document (ActiveDocument) that is passed to function B_RA, to be deobfuscated, and then executed (F_DC.Exec).

And here is function B_RA:

It contains a For loop, function Mid is used to select substrings of 3 characters long, which are then converted to an integer and then have 0x1A (26) subtracted from them, to be finally converted to a character. With this information, I can make an educated guess on how to decode the obfuscated string.

But first, I need to find the value of variable SP_LL. Since this is a .docm file, I need to search into XML files contained in a ZIP file. zipdump.py with its YARA functionality is what I need here:

File settings.xml contains variable SP_LL:

With re-search.py and a regular expression to match strings of 10 digits or longer, I extract the value for SP_LL (a long string of digits):

Next I need to break this string up in substrings of 3 digits. I can do this too with re-search.py, and a regular expression for 3 digits:

Now I need to convert these numbers to characters. numbers-to-string.py was designed to do just this. I use option -n 1 to process one number per line (by default, numbers-to-string.py expects at least 3 numbers per line):

This is not yet the decoded string we want: I need to subtract 26 from each number, like this:

Here I recognize cmd.exe … Finally, I use option -j to join all lines into a single line:

And this is a command that launches PowerShell with a downloader script.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

.rar Files and ACE Exploit CVE-2018-20250, (Mon, Apr 22nd)

Reader Carlos submitted an email with attached RAR file.

In the past, when you received a RAR file as attachment in an unexpected email, it often contained a single malicious Windows executable. For the infection to occur, one would have to open the attachment and double-click the executable.

Nowadays, a RAR file can also be an ACE exploit, like the popular %%cve:2018-20250%%. Infection typically occurs by opening the attachment, and then restarting the computer or performing a logoff/logon cycle.

With oledump.py and plugin plugin_msg.py, one can inspect .msg files:

There’s an attachment with extension .rar:

And it is indeed a RAR file containing an executable.

If it would be an ACE file masquerading as a RAR file (.rar extension in stead of .ace), one would see the following:

The binary data does not start with “Rar!”, instead, one will see “**ACE**” a few bytes into the binary data.

The example above is a normal ACE file. ACE files with a path traversal exploit will have an abnormal path stored in the ACE file:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Analyzing UDF Files with Python, (Fri, Apr 19th)

Yesterday, Xavier wrote a diary entry about malicious UDF files.

I wrote about the analysis of .ISO files before, and it turns out the same techniques work for UDF files too.

Python module isoparser can also parse UDF files:

We can retrieve the content:

And calculate the hash of the contained EXE:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Malware Sample Delivered Through UDF Image, (Wed, Apr 17th)

I found an interesting phishing email which was delivered with a malicious attachment: an UDF image (.img). UDF means “Universal Disk Format” and, as said by Wikipedia[1], is an open vendor-neutral file system for computer data storage. It has supplented the well-known ISO 9660 format (used for burning CD & DVD) that was also used in previous campaign to deliver malicious files[2].

Here is a copy of the mail:

From: 
To: 
Subject: Overdue Invoice
Valued customer,
Attached is your invoice as scheduled, your credit/debit card will be charged. Your bill will be delivered along with your ordered items(s).
Please review the receipt at your earliest convenience and get back to us in case of anomalies.

Thank you for your continued patronage.

Warm regards.

The attached files was called “invoice#003.img” with the SHA256 hash: 886338ebc04e728338874b07365d4fd337998e1786893b680065358e815a6d02. At the moment, the file is flagged by 23 AV on Virustotal[3]. To read the content of the archive safely, you can use the ‘loop’ driver on a Linux system:

# mount -o loop /tmp/invoice#003.img /mnt/malicious/
# ls -l /mnt/malicious
total 1296
-r-xr-xr-x 1 nobody nogroup 1325568 Apr 14 23:45 invoice#003.exe
# shasum -a 256 /tmp/malicious/invoice*
b3aef0e1d7a71edbc858a81e66f354be1974aafdd4449f2972e4dae1c82f2b8a  /mnt/malicious/invoice#003.exe

Here, the VT score is 35[4], it’s a classic malware written in AutoIT, nothing special. It tries to connect to kingdevil[.]ddns[.]net:4156.
Let’s have a look at the UDF image:

00008220: 2020 2020 2020 2020 2020 2020 2020 2020
00008230: 2020 2020 2020 2020 2020 2020 2020 494d                IM
00008240: 4742 5552 4e20 5632 2e35 2e38 2e30 202d  GBURN V2.5.8.0 -
00008250: 2054 4845 2055 4c54 494d 4154 4520 494d   THE ULTIMATE IM
00008260: 4147 4520 4255 524e 4552 2120 2020 2020  AGE BURNER!
00008270: 2020 2020 2020 2020 2020 2020 2020 2020
00008280: 2020 2020 2020 2020 2020 2020 2020 2020
00008290: 2020 2020 2020 2020 2020 2020 2020 2020
000082a0: 2020 2020 2020 2020 2020 2020 2020 2020
000082b0: 2020 2020 2020 2020 2020 2020 2020 2020
000082c0: 2020 2020 2020 2020 2020 2020 2020 2020
000082d0: 2020 2020 2020 2020 2020 2020 2020 2020
000082e0: 2020 2020 2020 2020 2020 2020 2020 2020
000082f0: 2020 2020 2020 2020 2020 2020 2020 2020
00008300: 2020 2020 2020 2020 2020 2020 2020 2020
00008310: 2020 2020 2020 2020 2020 2020 2020 2020
00008320: 2020 2020 2020 2020 2020 2020 2032 3031               201
00008330: 3930 3431 3530 3034 3635 3430 300c 3230  9041500465400.20
00008340: 3139 3034 3135 3030 3436 3534 3030 0c30  19041500465400.0
00008350: 3030 3030 3030 3030 3030 3030 3030 3000  000000000000000.
00008360: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00008370: 0001 0049 6d67 4275 726e 2076 322e 352e  ...ImgBurn v2.5.
00008380: 382e 3000 0000 0000 0000 0000 0000 0000  8.0.............

ImgBurn is a well-known Windows tool used to create CD/DVD images[5] and guess what? A stock Windows handle this type of file without any extra tool:

So be careful with .img files! They should also be added to the list of prohibited file extensions in your mail relays or change the file association in your Windows environments to NOT open them Windowd Explorer.

[1] https://en.wikipedia.org/wiki/Universal_Disk_Format
[2] https://isc.sans.edu/forums/diary/Malicious+iso+Attachments/22636
[3] https://www.virustotal.com/#/file/886338ebc04e728338874b07365d4fd337998e1786893b680065358e815a6d02/relations
[4] https://www.virustotal.com/#/file/b3aef0e1d7a71edbc858a81e66f354be1974aafdd4449f2972e4dae1c82f2b8a/detection
[5] https://www.imgburn.com

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 1 of 799 12345...»