Analyzing malware inside a Word file

Published by razvan on

Today we will see how we can analyze a infected Word file.

A word file can be infected in multiple ways, some are more interesting and complex but some are not.

These days I’ve received a Scam Email which was looking near like a true one with a nice Word document attached. I was curious what is inside. So let’s begin with what I did and the most important part is how I did.

First of all was to check the file type and list the content of the Word file because it is in essence a archive like other Office files.

# file Invoice.doc
Invoice.doc: Microsoft Word 2007+

# unzip -l Invoice.doc 
Archive:  Invoice.doc
  Length      Date    Time    Name
---------  ---------- -----   ----
     2088  01-01-1980 00:00   [Content_Types].xml
      590  01-01-1980 00:00   _rels/.rels
     1602  01-01-1980 00:00   word/_rels/document.xml.rels
     3711  01-01-1980 00:00   word/document.xml
     1525  01-01-1980 00:00   word/footer1.xml
     1568  01-01-1980 00:00   word/endnotes.xml
     1574  01-01-1980 00:00   word/footnotes.xml
    10240  01-01-1980 00:00   word/vbaProject.bin
     6804  01-01-1980 00:00   word/theme/theme1.xml
      277  01-01-1980 00:00   word/_rels/vbaProject.bin.rels
     2651  01-01-1980 00:00   word/settings.xml
     1358  01-01-1980 00:00   word/vbaData.xml
    17578  01-01-1980 00:00   word/styles.xml
     3256  01-01-1980 00:00   word/numbering.xml
     1486  01-01-1980 00:00   word/fontTable.xml
      740  01-01-1980 00:00   docProps/core.xml
      428  01-01-1980 00:00   word/webSettings.xml
    18331  01-01-1980 00:00   word/stylesWithEffects.xml
      987  01-01-1980 00:00   docProps/app.xml
---------                     -------
    76794                     19 files

With this seen I’ve observed an abnormal file there named word/vbaProject.bin which is a VBA macro.

Let’s see what’s with this file and what it can do.

# strings -a word/vbaProject.bin
ShellExecuteA
......
http://xxx.xxx.xxx.xxx:81/fun.exe
......
shell32.dll+
......
Document_Open

This strings indicates that by opening this document it will download a file. Let’s download this to see what’s there.

# wget http://xxx.xxx.xxx.xxx:81/fun.exe

I’we start thinking that if this file is infected it may use some techniques to avoid sandboxing so I’ve started to do everything by hand.

I’ve built a disposable Windows machine to have all the fun there and started a package capture for that interface.

# tcpdump -nnvvXSs 1514 -i vmbr0 -w /tmp/malware/network.pcap

After executing it I dumped VM RAM and then mounted file in my machine memory to make analysis faster.

# VBoxManage debugvm Win dumpguestcore --filename /tmp/malware/win.dmp
# mount -t tmpfs -o size=2600m tmpfs /tmp/malware/memory/
# volatility imagecopy --filename /tmp/malware/win.dmp -O /tmp/malware/memory/win-raw.dmp

In the next step I’ve checked for running processes.

# volatility --filename /tmp/malware/memory/win-raw.dmp --profile Win7SP1x64 psxview

Now I was surprised because there is no trace of the abnormal process running but that’s fine for now because I’ve used ProcessHacker on that machine and there was a process named lf.exe which is not a normal one.

With this I will search through the original exe for some paths that i need to watch.

# strings -a -td /tmp/malware/fun.exe > /tmp/malware/fun-strings.txt
# strings -a -td -el /tmp/malware/fun.exe >> /tmp/malware/fun-strings.txt

During this phase I’ve noticed some paths like:

# cat /tmp/malware/fun-strings.txt
......
C:\Dachshunds4\Urged7\Vasoganglion0\VB6.OLB
C:\Dachshunds4\Urged7\Vasoganglion0\MSCOMCTL.oca
......

Using this strings I used strings plug-in of Volatility to try and find the processes in memory.

# strings -a -td /tmp/malware/memory/win-raw.dmp > /tmp/malware/win-strings.txt
# strings -a -td -el /tmp/malware/memory/win-raw.dmp >> /tmp/malware/win-strings.txt

Searching through this file for that strings I’ve got something interesting.

# grep "Dachshunds4" /tmp/malware/win-strings.txt | sed 's/\([0-9]\+\)\s\(.*\)/\1:\2/g' > /tmp/malware/strings-search.txt

Now let’s search through memory dump for this strings:

# volatility --filename /tmp/malware/memory/win-raw.dmp --profile Win7SP1x64 strings -s /tmp/malware/strings-search.txt

There are some references to strings in Microsoft Word and Kernel. This means this malware didn’t just disappear but it is easier to dump the process using Process Hacker.

# strings -a -td /tmp/malware/lf.exe.dmp > /tmp/malware/lf-strings.txt
# strings -a -td -el /tmp/malware/lf.exe.dmp >> /tmp/malware/lf-strings.txt

In this output here we can see the magic. This malware is using anti sandboxing techniques (there was a reference for function wine_get_unix_file_name) and it wanted to send all passwords saved for my email accounts and for web browsers to the attacker server.

Categories: Blog

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Blog

AWX building custom execution environment

AWX default execution environment is pretty strong but in some cases it is not enough. There days I wanted to run a play which require json_query for filtering out some outputs. All went well during Read more…

Blog

ESP32 temperature sensor with Zabbix

One of our clients requested us a solution to monitor temperature in their datacenters with one condition, this should send data to a Zabbix server without cloud or any other integrations directly using a WIFI Read more…

Blog

Logstash email alert

Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite “stash.” In out case we are sending logs Read more…