On a pleasant morning I received an email with an doc attachment. The email was not having any text or message. Subject was name of the attachment ‘New Doc 115’. It was my curious mind (place where the cat gets kills inevitably) that I decided to analyse it. The email actually identified it as a spam likely because of the sender or may be the attachment. But why ?
OLE documents with malicious macros are not new and this method is widely used to compromise a host. Once the doc file is accessed the embedded macros are executed (security options always prompts user to enable the macro). Following email is an example of such a social engineering attempted on my mailbox. The analysis conducted to identify indicators of compromise and what was the motive of the document/macros.
Email Header Extract:
Looking at the email header we can see the sender is firstname.lastname@example.org with address 220.127.116.11.
Attachment : New Doc 115.doc
The document has multiple macros. MS Word identifies and also shows security warnings. Once the macros are enabled document will drop malware and infect the host.
Below are the details of the doc file:
|Filename||New Doc 115.doc|
|Size||69632 bytes – 68 Kb|
|Type||Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251|
|Author||1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Feb 10 08:02:00 2016, Last Saved Time/Date: Wed Feb 10 08:02:00 2016|
|Number of Pages||1, Number of Words: 0, Number of Characters: 0, Security: 0|
|External site analysis||Virus Total Link
Static Malware Analysis
This section shows methods for static malware analysis using OfficeMalScanner and Oledump.
To extract malicious macros OfficeMalScanner was used.
Using OfficeMalScanner’s info mode, malicious macros can be extracted.
- Extracted Macros can be viewed in text editor. The macros will give some idea about what macros are written to do.
- Function names within macros are written in Spanish. Further information were identified using Oledump as shown in following screenshot. Macros are stored as streams in the word doc.
- Oledump.py can be used to get required information as shown in the screenshot.
oledump.py pathtofile/New doc 115.doc
oledump.py -s 7 pathtofile/New doc 115.doc . Stream 7 is the embedded object
Stream 14 – Interesting Macro named ‘SamboF’
Main Functions with translation:
- CIF as String
- Fecha as Date – Date as Date
- CuentaPropia2 as String – Own account2 as String
- cadSQL as String – cad SQL instance
- ConceptoTr as String – ConceptTr as String
- Tipo as Byte – Kind as Byte
- SufijoOEM as String – Suffic OEM
The functions is likely looking for the specific attributes in the SQL database or documents holding financial records.
Dynamic Malware Analysis
- Macros were enabled to see how the system behaves and what changes to registry or process are made.
- With windows defender enabled, following signatures were triggered when document was downloaded.
- Ran the macros on Windows VM with no anti-virus or anti-malware. Enabling macros, a file label8.exe under the user Temp directory is created.
- Process Explorer with Virus Total integration was used to identify changes on the system and process which can be checked against Virus Total in real-time but no new process identified besides label8.exe.
- PE explorer and OllyDBG gives error when the file is being accessed syaing its not an EXE
Opening the file in notepad shows HTML response code as shown below :
6. System performance affected drastically where by CPU usage went to 100% as shown in the screenshot below. Ending the exe process, improved the performance and CPU usage went to normal.
7. The interface was being sniffed by the IPS with Emerging Threats Traffic triggered following signatures :
Signature ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016 triggered. Interface shown – Snorby installed on Security Onion.
From the triggered signature we can say the communications was related to Dridex Malware. The malware is designed to steal banking credentials and other personal information of the user such as financial records of the user. Following payload shows the host being communicated – g-t-c.co.uk.
Indicators associated with the malware:
- 11.240.14 – g-t-c-co.uk
- 122. 52.162.226 – 18.104.22.168.pldt.net, Phillipines
From the analysis we can say that users are still being targetted with specific type of malware such as Dridex which is used for stealing banking credentials with intent for fianancial gain. The macros were identified suspicious by Windows Defender and Virus Total and therefore we can say the methods that were used to send the malware is known. Also , the email was actually identified by spam as the sender email was yahoo.co.uk.
Understand the exposure level of a user is high and so is the risk. Besides relying on anti-virus or spam gateway we must make sure users are aware of these techniques and educated with regards to spam and phishing.