Lab 10 - Document Malware

In this lab, you will explore malware that is distributed using PDF and Microsoft Office document files.

Deliverables

Upload the following items to the Lab 10 Assignment on Canvas when finished.

  • The PDF file containing the required documentation

Part 1 - PDF Malware #1

Launch your REMnux virtual machine and copy over the 1-xxxx.zip malware. Unzip the malware, and open it using a text editor. (SCiTE works).

Question Answer
What is the object number and version number of the first object to be processed after opening the file?
Tip: Look at the /Root line in the trailer)
What is the complete contents of that object? (from obj to endobj)

Even knowing nothing about PDFs, that object looks suspicious. What is a PDF file doing invoking PowerShell? Dig into the specifics of the command using the documentation on the PDF standard and answer the following questions. In particular, refer to Section 8.5.3 of the specification (“Action Types”).

Question Answer
What does /S /Launch/Win mean?
What does /F (….) mean?
What does /P (….) mean?

Let's explore the details about how PowerShell is being invoked.

Question Answer
What does the -EncodedCommand argument do to PowerShell?
What is the decoded command?
Tip: Use https://www.base64decode.org/ to decode

The base64dump.py utility can be a useful way to extract encoded strings from files, rather than decoding them manually.

Question Answer
Run base64dump.py <file.pdf> to see a summary of all potential encoded strings. What is the output?
Run base64dump.py <file.pdf> -s <stream ID> -S to print the decoded text for a particular stream ID. What is the decoded text?

Part 2 - PDF Malware #2

Launch your REMnux virtual machine and copy over the 2-xxxx.zip malware. Unzip the malware, and use pdfid.py to do a quick “triage” of the PDF file. Usage: pdfid <file.pdf

Question Answer
What object types might be suspicious to a malware analyst, why are they interesting, and how many of each objects were found?

Although opening up a large PDF file in a text editor and scrolling up and down can be fun, there are other tools that will allow you to jump straight to portions of interest in the file. Use pdf-parser.py to search for the objects you previously identified with pdfid.py

Usage: pdf-parser.py <file.pdf> --search <ObjectType>

Question Answer
What is the name of the JavaScript function that the PDF invokes upon opening?
Tip: The name is this.XXXXXX
In what object is this JavaScript function defined?

You can use pdf-parser.py to view particular sections.

Usage: pdf-parser.py <file.pdf> --object <objectNum>

Question Answer
What section does the previous object (that defined the JavaScript function ) reference?
Is there any code in that referenced section, or does it reference yet another section?
What object in the PDF file actually contains JavaScript code?

You can use pdf-parser.py to decode and dump the JavaScript code from a stream.

Usage: pdf-parser.py <file.pdf> --object <objectNum> --filter --raw -d output.txt

  • --raw : Output without escaping special characters
  • -d : Save the output to disk instead of standard output
Question Answer
Provide a piece of the resulting JavaScript code. It’s obfuscated, so I don’t need it all.

We could continue here, but JavaScript deobfuscation is a topic for another time...

Use peepdf.py to parse the file for an alternate view of potentially suspicious sections.

Usage: peepdf.py <options> <file.pdf>

Common options:

  • -f : Force parsing mode (continue even if errors are encountered)
  • -l : Loose parsing mode (report any malformed objects - malware could be abusing the PDF structure)
  • -i : Interactive mode

In interactive mode, you can jump between sections. Try “object 13” or “object 10”. Type “?” for help to see other commands, or “quit” to exit.

Question Answer
What is the output of peepdf.py, under “Objects with JS Code” and “Suspicious Elements”?

Part 3 - MS Office Malware #1

Launch your REMnux virtual machine and copy over the 3-xxxx.zip malware. Unzip the malware, and use olevba.py to examine the file.

Usage: olevba.py <file>

Question Answer
Examine the summary table produced. What IOCs are identified from the VBA code?
Examine the summary table produced. What suspicious keywords are identified from the code?
Locate the AutoOpen() function in the VBA code, which was identified by olevba.py as potentially suspicious. What function does AutoOpen() call?
... And what function does that function call?
.,.. Inspect the code for that function. In a few sentences, what does it accomplish? (Your answer should explain whether this is a dropper or downloader and support that with evidence from the code).

Unzip the Office XML file to view its inner structure and components.

Usage: unzip <file> -d <directory> where file is the Office document and directory is the name of a new directory where you want all of the components to be placed.

Question Answer
Two image files were found in the office document. Copy and past them into your report.

Use oledump.py to obtain a view of the overall structure of the file.

Question Answer
What streams contain Macros? (denoted with the “M” label in the column)
Use oledump.py to obtain the contents of that stream. What is the full command to do so?
Tip: Use the -h argument to access the documentation. -s will specify a stream, and -v will decompress the macro. Note that you need to specify the VBA file inside the .zip archive, not the original .docm file
There’s another HTTP-related string in the macro file. What is it? Tip: Use the strings command with the --encoding=l (lowercase-L) to search for unicode-encoded strings
What might be the significance of this HTTP-related string? (Speculate, there's no particular right answer here)

Part 4 - MS Office Malware #2

Launch your REMnux virtual machine and copy over the 4-xxxx.zip malware. Unzip the malware, and use oledump.py to examine the file.

Question Answer
Locate a section of the file with VBA macros. What is the stream (section) number, size in bytes, and name?
Obtain the contents of that stream. What is the name of the first function that is declared in the VBA macro?
Tip: Look for the Public Function keyword
The function is obfuscated, with names that are random gibberish, unnecessary loops, and extra variables. However, based partially on the name of the function, but more heavily based on the way the function is used, its purpose will become clear. Search the macro (via grep, text editor search, etc…) for invocations of the function. How many times is it used in the macro?

Create a table documenting each invokation of this function. Show the arguments passed to the function, the un-obfuscated value, and the human-readable results that are potential indicators of compromise. Hint: The following two websites may be useful:

Arg1 Arg2 Un-Obfuscated Result Human-Readable Result
Call 1
Call 2
...
...
Call n

Aside from un-obfuscating the contents manually, you could also write a Python program to accomplish it, or use the VBA debugger provided with Microsoft Office to attempt to capture the un-obfuscated data after the macro processes it.