How a Document File Can Compromise Your Organization
There are a variety of threats in today’s cyber landscape, but one of the biggest threats is a rogue email that is attached with a malicious document file. Most people fall into such traps due to a lack of awareness and proper email protection solutions.
Several file formats can be weaponized as a first stage of the attack and infiltrate the organization through email. In many cases, the weaponized file will be based on a doc, docx, docm, xls, or xlsm file format. In this article, we will explain what a downloader is, what Macros (specifically VBA) and in addition, we will present an investigation of a malicious MS Word file to strengthen the understanding and awareness of such threats.
Prologue – Macros as a Malicious Service
Macros are a way of automating certain tasks such as data calculations, data formatting, and much more. Looks very legit, right? Not so fast. In reality, an attacker can abuse Macros to execute system commands, download malicious files, and even deobfuscate itself at runtime. Specifically speaking, when we refer to macros in the Microsoft Office suite (e.g., Word, Excel), we refer to VBA-based Macros. Let us dissect a piece of downloader.
$700
$490 or $73.5 X 5 payments
The MAoS Bundle is your fast track to mastering malware analysis. From core concepts to hands-on reverse engineering, this bundle gives you the real-world skills needed to dissect malware with confidence. Perfect for aspiring analysts, SOC pros, and red teamers preparing to dive into advanced content like the MAoS book.
What is a Downloader
In a practical and simple language, a downloader is a file that is initially executed on a target (e.g., victim) system, mainly with the interaction of the user who downloads and executes the next stages of the malware. A great example of malware that is based on this kind of attack vector is banker malware, such as Emotet and Ursnif. Such malware is not exploiting only the email vector, but we will stick to the email attack vector for the sake of the article.
Brief Technical Analysis
We decided to do a brief analysis of a simple downloader that we found in VirusTotal. Let’s start with basic threat intelligence.
Below, you can see a high detection rate of our specimen dubbed as DDqFM.docm:
And an interesting domain name, xfl.mooo.com, that we will try to cross-reference in the VBA of the malicious Word document file:
With a simple WHOIS, we can understand that the attackers who crafted this malicious document used a free Dynamic DNS service dubbed as afraid.org (funny name for such a service). Below is a screenshot of the Dynamic DNS service provider:
Enough with threat intelligence, let’s dig into the file.
First of all, we’re going to validate the file based on its file format magic value:
As we can see, the file header starts with the magic value of PK (0x504B0304) that indicates that the specimen file is a compressed Word document (docm) file.
Furthermore, when we open the file with a ZIP-like file explorer like 7-Zip, we can view the inner file structure. Below we can see that two VBA streams indicate that there is a use of Macros-VBA, vbaProject.bin and vbaData.xml:
At this point, we will extract the relevant malicious VBA code. First, we need to get the index of the relevant malicious code streams, so we extract them and further analyze them. You can see that we used OLEdump.py to dump the index list:
Here we can notice that the indices of streams A3 and A4 are marked with the ‘M’ flag, indicating Macro code that is executed when the document file gets double-clicked by the victim.
Liked the content?
Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.
Next, we dump the A3 and A4 data streams as can be seen below:
Now we have two files, we will analyze the A3.bin file because it has the main malicious functionality of the downloader.
Below is a subroutine that tries to disable MS-Word from alerting to the usage of Macro code. This is done with the help of manipulating two registry values, one for Excel and the other for MS-Word:
Then, there is a call to a function named MPS. Below is a screenshot of the MPS subroutine:
The above subroutine attempts to execute the next stage of the malware, which, of course, we will not discuss for the sake of this article. If the attempted file does not exist under the desired downloaded path (A.K.A. %temp%), the downloader attempts to download the next stage file dubbed as “cache1.exe” by calling the next subroutine named as FDW. Below is a screenshot of the FDW subroutine:
The subroutine attempts to download the stage of the attack, the “cache1.exe” executable file with a simple HTTP-GET request method from the hxxp://xfl.mooo.com domain and save it under the %temp% path.
Epilogue – This is Not The End
In this article, we briefly explained and analyzed a malicious Macro-VBA-based downloader. As we understand, such malicious payloads mainly infiltrate our organizations through emails. We recommend that you test your organization against such attacks.
