[ Technical Teardown : “Your 2016 Tax Report From IRAS”. In Word 2003 XML Document (.xml)? ]

Several days ago, i saw this “Old Technique” being used again. But i wasn’t interested with it until today when i saw that it’s trying to spoof as Inland Revenue Authority of Singapore (IRAS)

So what is this “Old Technique” that i’m talking about.  It’s basically using the good old “Word 2003 XML Document” trick.  But i’ll walk you through the entire process

[ Sample used in the analysis ]
MD5: 25abc03eb402c1b6b99543cca626c78d
SHA256: 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the email file 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious email with Visual Studio Code.

As we can see from the above image, the attacker seems to be  sending this spoofed email as  if they are from IRAS and we can find out several things from the email headers

EMAIL HEADERS:

  • Date: Wed, 26 Apr 2017 06:51:42 +0800
  • From (possibly spoofed): “Inland Revenue Authority of Singapore “<tax_no_reply-no@iras.gov.sg>
  • Subject: [IRAS: IMMEDIATE ATTENTION] Your 2016 Tax Report!!!
  • Message-ID: <77724133945041300816867@WIN-2TAK14O2BL3>

However, if we analyse it properly, we know that the attacker probably sent this from this IP address : 62.210.139.92.

Received: from 62-210-139-92.rev.poneytelecom.eu
(62-210-139-92.rev.poneytelecom.eu [62.210.139.92])

Based on the above image, we can see the contents of that email message that it’s trying to do social engineering on the victims and asking the victims to open the “doc” file

EMAIL MESSAGE:

 

[ Part 2 : Email attachment ]

Now let’s try to look at the attachment and we can see this.  No worries, let’s Base64 decode it.

What is interesting after Base64 decoding it, i don’t see a .doc file.  Rather, what we could see is an XML file as shown here.

 

When you open a Microsoft Office Word 2010 XML document, Microsoft Office Word 2007 XML document, or a Microsoft Office Word 2003 XML document, your Microsoft Internet Explorer will not display the document by using the default Internet Explorer. Instead, if you had Microsoft Office installed.  Microsoft Word will open the XML document instead.  Why is this so?

Let’s take a look at the image above.  Starting from Word 2003, Word documents are built using XML in what Microsoft calls the WordprocessingML. Basically Windows will detect this XML (because of the mso-application declaration) and will launch Word if you double-click it.  Microsoft got a good Overview of WordProcessingML here.

But let’s inspect this XML file first.

 

First thing that caught my eye is this.

It’s seems like it’s asking victims to “Enable Content to view” Smells like Macros again.

If we were to look further down, we can see the reference to “/word/vbaProject.bin” as shown in the image below.

Ok, more Base64 decoding to do. Once we decoded, we can spot the familiar “D0CF11E0A1B11AE1

Ok, now let’s save this Base64 decoded file and use Profiler to parse it again and we should be able to see this.

Ok, let’s deobfuscate this Macro and we should get back something like the following:

So basically it’s just downloading the payload from http://travelbag[.]ca/lk/lk/kdabz.exe

The hash of this malware is “305B32DDC8786A56FABDA1114F6BF549AEB1B283FB3915D6076D49A7E5265FCB

Since that malware is developed in .NET, i shall leave the reversing of the malware as an exercise to the readers.

[ Part 3 : Side Note ]

I know some of you are wondering did attackers made this by hand?  I highly doubt so.  I don’t want to encourage script kiddies in replicating this but it’s really simple 🙁

Thanks & Regards
Jacob Soo