Analyzing Documents for Insights into Malicious Macros

Recently read an interesting piece asking the question why so many attacks/compromise analysis papers/articles only focus on the malware and not the dropper/document which is often (and increasingly so) the method of initial compromise (from either an infected web page or attachment). The author (Harlan Carvey) points out that understanding the way in which a document is used (via macros) to infect a target machine gives the defenders lots of useful insight and threat data which can be used to thwart future (or on-going) attacks.

“In the output we see what appear to be 2 base64-encoded Powershell commands, one that downloads PupyRAT to the system, and another that appears to be shell code.  Copying and decoding both of the streams gives us the command that downloads PupyRAT, as well as a second command that appears to be some form of shell code.  Some of the variable names ($Qsc, $zw5) appear to be unique, so searching for those via Google leads us to this Hybrid-Analysis write-up, which provides some insight into what the shell code may do.”

See here for a great write up and deconstruction of one such document:

“Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.”



Reverse engineering DUBNIUM (Microsoft Malware Protection Center)

“In most cases, the daily operation of the DUBNIUM APT depends on social engineering through spear-phishing. They are observed to mainly rely on an .LNK file that has an icon that looks like a Microsoft Word file. If the victim clicks the file thinking it’s a Microsoft Office Word file, it downloads a simple dropper that will download and execute next stage binary – which in this case, has the file name of kernelol21.exe.”

Source: Reverse engineering DUBNIUM –Stage 2 payload analysis – Microsoft Malware Protection Center