WiCyS Target Cyber Defense Challenge - Tier 1
For this CTF, we were provided a quick description of an emerging APT and a suspicious file that was sent via a phishing email.
Malicious document analysis, aka Maldoc Analysis, is a fun and common challenge that one would see in CTFs and in jobs. These documents contain embedded code that launch some sort of malware when the user unknowingly opens it. The information in this post is sourced directly from my submission.
Initial Static Analysis
Static analysis is the "entry point" for further deep analysis. First, I saved the provided file (invoice-02-01-2022.xls) to my Ubuntu machine, where I also installed RemNux.
My first analysis begins with inspecting the document in an Ubuntu VM (Virtual Machine) using LibreOffice Calc. All macros were disabled beforehand. Upon opening the invoice, we see a png image prompting us to enable macros to view the content. This is a technique used by adversaries to trick unsuspecting victims into launching malicious code.
Next, I inspected the content of the worksheet itself. Attackers will hide commands, triggers, worksheets, and other data inside cells. Obscured information is revealed by selecting the entire workbook with “CTL+A” and then right-clicking to Format Cells. The font color is white, so I changed it to black, though there was no hidden data. I noticed a saved name in the document (SP1) that points to HQ15, but there is no data hidden within that cell either.
Virus Total Analysis
Before diving further into the document, it’s helpful to get a general idea of what other tools see. Virus Total is a website that compares samples with multiple vendors and antivirus software.
The following command was used to generate the SHA256 hash for Invoice-02-01-2022.xls:
Inputting this hash into Virus Total’s search shows multiple security vendors flagged this file as malicious. The Virus Total scan also lets us know that this file contacts multiple domains, IP addresses, changes registry keys, and several process and service actions. This supporting evidence reveals that this document is worth investigating further.
oleid Analysis
“oleid” is a script that analyzes OLE files, typically to detect embedded content such as VBA macros. Using this script reveals that there are macros in this document.
olevba Analysis
Next, I used “olevba” to parse OLE files, detect the VBA macros, extract the code, and view potential IOCs. Figure 5 shows us the code in plain text, which can be viewed in LibreOffice Calc. There are functions that call suspicious processes and a nonsensical variable having a large array. Note that the code originates from Module1 within the workbook.
The AutoExec and the Suspicious types are indications that something malicious is happening within the document.
The AutoExec commands trigger code to run whenever the user opens the document and could potentially launch other malicious processes. The Lib keyword tells us that this execution may run code from a DLL, which can inject shellcode into another process. This is continued by CreateThread, VirtualAlloc, and RTLMoveMemory. While these are native MS Office features, attackers can easily manipulate these to do nefarious things.
oledump.py Analysis
“oledump.py” is another oletool that displays more information about the VBA macros. This confirms that the workbook has code. The project we’re looking for is Module1, because it is the largest of the results.
oledump.py -p plugin_biff --pluginoptions "-x" invoice-02-01-2022.xls
ViperMonkey Analysis
While olevba is powerful, it can’t examine code like ViperMonkey. This tool can parse grammar, create a code logic model, trace code execution, and extract interesting or suspicious actions.
ViperMonkey analyzes the document and displays a large output of actions, parameters and a description. First, it found the same entry point AutoOpen (AutoExec). Next, there’s a list of external calls for RtlMoveMemory. I can theorize that the array I saw earlier is this iterating through the shellcode and moving data. This is a classic tactic for adversaries to use and obfuscate their code even more.
CyberChef Analysis
After the analysis with oletools and other programs, I will shift focus to CyberChef. This resource is often referred to as the “Swiss Army Knife” of security tools and will be able to confirm and expand upon the current findings.
Strings
Strings is a useful tool that finds embedded text within files. This is a good starting point to find specific or unusual words.
Immediately there are recognizable words: Dmitri, Array, processes, etc. The array could be iterated through RtlMoveMemory, CreateThread, and VirtualAlloc. It’s also worth noting that the VBA code has several nonsensical variables. These are used to fool analyzers and make it harder to obfuscate code (shown below).
Scan for Embedded Files
It’s helpful to scan files when investigating malicious documents. Sometimes they will hide embedded files such as images, executables, or other file types. In this case, CyberChef didn’t detect any concrete signs of embedded files within the document, however there are some interesting findings. Most notably there is Zlib Deflate, which could be signs of compressed files.
By default, an XML file created with Microsoft Office will have the timestamp of 1980-01-01 00:00:00. Because this date is not changed nor encrypted, we can conclude that this Excel document has not been altered with a ZIP tool after it was saved with Office. However, this does not mean that there isn’t the potential for files to be dropped from anywhere else in the code.
Array Analysis
Earlier in the investigation, there was a large array in the VBA code with a plethora of random numbers. Thankfully, I can convert from decimal to ASCII using CyberChef.
Below are highlighted strings that are of interest. Rundll32.exe can be used to launch a DLL and invoke functions, also known as Process Injection and Thread Hijacking. The file metal.exe is new, followed by Chrome.exe and “shinyobjects.birds”. We can take a guess that this array is launching Chrome, requesting the URL “shinyobjects.birds” and pulling metal.exe to try and execute a malicious file.
Curl shows the domain is not sending a response and couldn’t be resolved. Many attackers abuse temporary domains to redistribute malware.
Process Graph
Conclusion
While I skipped some parts, such as my Executive Summary writeup and IOCs pertaining to the challenge, I felt that overall I had a positive experience and learned a few new tricks. I was not very confident with many of the tools provided (though, I knew what they were), but now I feel further equipped to tackle other maldocs!
Top comments (0)