This is funny. I mean, we all know that attackers often grapple with grammatical/spelling errors, but this one for some reason just made me chuckle.
We had a client receive an e-mail letting them know that a payment for $18k+ was ready for them. The e-mail had .DOC file attached. Of course, I told the client to delete the e-mail entirely from their system, but not before I was able to grab a sample for analysis.
At the time of this writing, VirusTotal shows that 0% of engines detect this sample... and this is down from our original submission of the sample. JOE Sandbox Document Analyzer shows only a 24% malicious score, and even that score is accrued from points I consider to be unimportant. So, what gives with this sample? Is it truly soooper secret?
Turns out... no, it is not. Firstly, laugh at this screenshot.
OH NOES! MAI MACROSES R DISABLED!
So, clearly the attacker can't spell. That, alone, is not a candidate for dismissing a sample, so let's do some analysis. Firstly, let's check the document's metadata with the awesome exiftool:
ExifTool Version Number : 9.97
File Name : M51ZJQOBOO138A.doc
Directory : ./source
File Size : 202 kB
File Modification Date/Time : 2015:10:22 09:55:35-04:00
File Access Date/Time : 2015:10:23 11:35:41-04:00
File Creation Date/Time : 2015:10:23 11:35:41-04:00
File Permissions : rw-rw-rw-
File Type : DOC
File Type Extension : doc
MIME Type : application/msword
Title :
Subject :
Author : IhpSPjjDqDF
Keywords :
Comments :
Template : Normal.dotm
Last Modified By : Y0er9dHL
Revision Number : 3
Software : Microsoft Office Word
Total Edit Time : 1.0 minutes
Create Date : 2015:10:22 22:45:00
Modify Date : 2015:10:22 23:19:00
Pages : 1
Words : 4334
Characters : 24704
Security : None
Code Page : Windows Cyrillic
Company :
Lines : 205
Paragraphs : 57
Char Count With Spaces : 28981
App Version : 15.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts :
Heading Pairs : Title, 1
Comp Obj User Type Len : 32
Comp Obj User Type : Microsoft Word 97-2003 Document
ExifTool Version Number : 9.97
File Name : R4PHYGX.doc
Directory : C:/tempinst/OfficeMalScanner/OfficeMalScanner/source
File Size : 192 kB
File Modification Date/Time : 2015:04:21 09:07:34-04:00
File Access Date/Time : 2015:05:28 07:29:01-04:00
File Creation Date/Time : 2015:05:28 07:29:01-04:00
File Permissions : rw-rw-rw-
File Type : DOC
File Type Extension : doc
MIME Type : application/msword
Title :
Subject :
Author : jiwdj
Keywords :
Comments :
Template : Normal.dotm
Last Modified By : Owner
Revision Number : 2
Software : Microsoft Office Word
Total Edit Time : 0
Create Date : 2015:04:21 10:34:00
Modify Date : 2015:04:21 10:34:00
Pages : 1
Words : 107
Characters : 614
Security : None
Company : SPecialiST RePack
Lines : 5
Paragraphs : 1
Char Count With Spaces : 720
App Version : 15.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts : ,
Heading Pairs : Title, 1, Название, 1
Code Page : Windows Cyrillic
Hyperlinks : http://office365.com/
Comp Obj User Type Len : 32
Comp Obj User Type : Microsoft Word 97-2003 Document
I have, as you can see, included a second command that actually includes a sample of a .DOC file that drops Dridex, just so you can see something side-by-side. But this metadata proves nothing. Next, let's turn to the ever-useful OfficeMalScanner:
+------------------------------------------+
| OfficeMalScanner v0.61 |
| Frank Boldewin / www.reconstructer.org |
+------------------------------------------+
[*] INFO mode selected
[*] Opening file .\source\M51ZJQOBOO138A.doc
[*] Filesize is 206848 (0x32800) Bytes
[*] Ms Office OLE2 Compound Format document detected
---------------------------------------------
[Scanning for VB-code in M51ZJQOBOO138A.DOC]
---------------------------------------------
-----------------------
No VB-Macro code found!
+------------------------------------------+
| OfficeMalScanner v0.61 |
| Frank Boldewin / www.reconstructer.org |
+------------------------------------------+
[*] INFO mode selected
[*] Opening file .\source\R4PHYGX.doc
[*] Filesize is 196096 (0x2fe00) Bytes
[*] Ms Office OLE2 Compound Format document detected
--------------------------------------
[Scanning for VB-code in R4PHYGX.DOC]
--------------------------------------
Module1
Module2
Module3
Module4
Module5
ThisDocument
-----------------------------------------------------------------------------
VB-MACRO CODE WAS FOUND INSIDE THIS FILE!
The decompressed Macro code was stored here:
------> C:\TempInst\OfficeMalScanner\OfficeMalScanner\R4PHYGX.DOC-Macros
-----------------------------------------------------------------------------
Here is the funny part. For some reason, this document contains no macros. You can see what an actual malicious document returns by reviewing the second sample. So, you can now see why this document is not being flagged by scanners; it isn't malicious at all!
I am not going to state any reasons why this document began circulating the net without being completed, but I can say that whatever the reason, I certainly got a laugh out of it. That, and this seemed as good as time as any to demonstrate two tools that I am growing to love more and more every time I use them, exiftool and OfficeMalScanner.
Cheers!
Want some artifacts? The .ZIP password is prescomm.
No comments:
Post a Comment