Saturday, October 24, 2015

Post #11 (Or... "PLZ ENABLE UR MACROSES")

This is funny. I mean, we all know that attackers often grapple with grammatical/spelling errors, but this one for some reason just made me chuckle.

We had a client receive an e-mail letting them know that a payment for $18k+ was ready for them. The e-mail had .DOC file attached. Of course, I told the client to delete the e-mail entirely from their system, but not before I was able to grab a sample for analysis.

At the time of this writing, VirusTotal shows that 0% of engines detect this sample... and this is down from our original submission of the sample. JOE Sandbox Document Analyzer shows only a 24% malicious score, and even that score is accrued from points I consider to be unimportant. So, what gives with this sample? Is it truly soooper secret?

Turns out... no, it is not. Firstly, laugh at this screenshot.

OH NOES! MAI MACROSES R DISABLED!

So, clearly the attacker can't spell. That, alone, is not a candidate for dismissing a sample, so let's do some analysis. Firstly, let's check the document's metadata with the awesome exiftool:

ExifTool Version Number : 9.97

File Name : M51ZJQOBOO138A.doc

Directory : ./source

File Size : 202 kB

File Modification Date/Time : 2015:10:22 09:55:35-04:00

File Access Date/Time : 2015:10:23 11:35:41-04:00

File Creation Date/Time : 2015:10:23 11:35:41-04:00

File Permissions : rw-rw-rw-

File Type : DOC

File Type Extension : doc

MIME Type : application/msword

Title :

Subject :

Author : IhpSPjjDqDF

Keywords :

Comments :

Template : Normal.dotm

Last Modified By : Y0er9dHL

Revision Number : 3

Software : Microsoft Office Word

Total Edit Time : 1.0 minutes

Create Date : 2015:10:22 22:45:00

Modify Date : 2015:10:22 23:19:00

Pages : 1

Words : 4334

Characters : 24704

Security : None

Code Page : Windows Cyrillic

Company :

Lines : 205

Paragraphs : 57

Char Count With Spaces : 28981

App Version : 15.0000

Scale Crop : No

Links Up To Date : No

Shared Doc : No

Hyperlinks Changed : No

Title Of Parts :

Heading Pairs : Title, 1

Comp Obj User Type Len : 32

Comp Obj User Type : Microsoft Word 97-2003 Document


ExifTool Version Number : 9.97

File Name : R4PHYGX.doc

Directory : C:/tempinst/OfficeMalScanner/OfficeMalScanner/source

File Size : 192 kB

File Modification Date/Time : 2015:04:21 09:07:34-04:00

File Access Date/Time : 2015:05:28 07:29:01-04:00

File Creation Date/Time : 2015:05:28 07:29:01-04:00

File Permissions : rw-rw-rw-

File Type : DOC

File Type Extension : doc

MIME Type : application/msword

Title :

Subject :

Author : jiwdj

Keywords :

Comments :

Template : Normal.dotm

Last Modified By : Owner

Revision Number : 2

Software : Microsoft Office Word

Total Edit Time : 0

Create Date : 2015:04:21 10:34:00

Modify Date : 2015:04:21 10:34:00

Pages : 1

Words : 107

Characters : 614

Security : None

Company : SPecialiST RePack

Lines : 5

Paragraphs : 1

Char Count With Spaces : 720

App Version : 15.0000

Scale Crop : No

Links Up To Date : No

Shared Doc : No

Hyperlinks Changed : No

Title Of Parts : ,

Heading Pairs : Title, 1, Название, 1

Code Page : Windows Cyrillic

Hyperlinks : http://office365.com/

Comp Obj User Type Len : 32

Comp Obj User Type : Microsoft Word 97-2003 Document

I have, as you can see, included a second command that actually includes a sample of a .DOC file that drops Dridex, just so you can see something side-by-side. But this metadata proves nothing. Next, let's turn to the ever-useful OfficeMalScanner:

+------------------------------------------+

| OfficeMalScanner v0.61 |

| Frank Boldewin / www.reconstructer.org |

+------------------------------------------+

[*] INFO mode selected

[*] Opening file .\source\M51ZJQOBOO138A.doc

[*] Filesize is 206848 (0x32800) Bytes

[*] Ms Office OLE2 Compound Format document detected

---------------------------------------------

[Scanning for VB-code in M51ZJQOBOO138A.DOC]

---------------------------------------------

-----------------------

No VB-Macro code found!


+------------------------------------------+

| OfficeMalScanner v0.61 |

| Frank Boldewin / www.reconstructer.org |

+------------------------------------------+

[*] INFO mode selected

[*] Opening file .\source\R4PHYGX.doc

[*] Filesize is 196096 (0x2fe00) Bytes

[*] Ms Office OLE2 Compound Format document detected

--------------------------------------

[Scanning for VB-code in R4PHYGX.DOC]

--------------------------------------

Module1

Module2

Module3

Module4

Module5

ThisDocument

-----------------------------------------------------------------------------

VB-MACRO CODE WAS FOUND INSIDE THIS FILE!

The decompressed Macro code was stored here:

------> C:\TempInst\OfficeMalScanner\OfficeMalScanner\R4PHYGX.DOC-Macros

-----------------------------------------------------------------------------

Here is the funny part. For some reason, this document contains no macros. You can see what an actual malicious document returns by reviewing the second sample. So, you can now see why this document is not being flagged by scanners; it isn't malicious at all!

I am not going to state any reasons why this document began circulating the net without being completed, but I can say that whatever the reason, I certainly got a laugh out of it. That, and this seemed as good as time as any to demonstrate two tools that I am growing to love more and more every time I use them, exiftool and OfficeMalScanner.

Cheers!

Want some artifacts? The .ZIP password is prescomm.

p11_artifacts.zip

No comments:

Post a Comment