Malicious file analysis - Example 01

My objective with this series of articles is to show an analysis of examples of malicious files that I presented during my lecture on BSides-Vitória 2022. For this first one, I'll briefly introduce some crucial topics to ease the understanding of the analysis process.

What're malicious files?

• Files that contains in their internal structure malicious actions that could compromise an environment, account, workstation, server, or user will receive the file.

Some files are more used in attacks

Compressed files

• ZIP, RAR e 7z

Microsoft Office Documents

• DOC, DOCX, XLS, XLSX, XLSM

PDF files

Microsoft Office Documents

• From a security point of view files of the types DOC, DOCX, XLS, XLSX, and XLSM, have a common issue, they can contain macros which are embedded scripts that are executed inside the file.

PDF Files

• PDF files can be used to execute JavaScript, download files, access URLs, and execute commands.
• Often instead of very malicious links, and induce the user to click on something.

Static Analysis x Dynamic Analysis

• Static analysis is done without the execution or opening the file/code.
• Dynamic analysis is done during the execution or opening the file/code.

Tools

• Peframe
• Pdf-parser
• Peepdf
• Oletools
• ExifTool
• Wireshark
• https://urlscan.io
• https://mxtoolbox.com

Peframe

• PEframe is an open source tool to perform static analysis of malware executables and malicious MS Office documents.?
• Example: peframe file_name

Pdf-parser

• PdfParser, a standalone PHP library, provides various tools to extract data from a PDF file.
• Example: python2.7 pdf-parser.py file_name

Peepdf

• peepdf is a Python tool to explore PDF files to find out if the file can be harmful or not.
• Example: python2.7 peepdf.py file_name

Oletools

• oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics, and debugging.
• olevba?is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing, and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc).
• Example: olevba file_name
• oleobj?is a Python script and module to parse OLE objects and files stored into various MS Office file formats (doc, xls, ppt, docx, xlsx, pptx, etc)
• Example: oleobj file_name

ExifTool

• ExifTool is a platform-independent Perl library plus a command-line application for reading, writing, and editing meta information in a wide variety of files.

Wireshark

• Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.

URLscan

urlscan.io - Website scanner for suspicious and malicious URLs.

MXtoolBox

MxToolbox supports global Internet operations by providing free, fast, and accurate network diagnostic and lookup tools. Millions of technology professionals use our tools to help diagnose and resolve a wide range of infrastructure issues.

Example 01 - Static Analysis

Note: All tests were executed in a virtual machine with Linux operating system.

Here I'm going to show in practice how we can use some of the tools above to analyze a malicious file.

We start with ExifTool to try to gather information through metadata.

Attention points:

• In the figure above we can identify the name of who made the last modification of the file. (possible attacker name).
• An alleged creator name (username used to create the file).
• In the title, it is possible to identify something as if it were the execution of a file or command, but written in reverse.

When I use the rev command to reverse the output of the ExifTool command it is possible to better understand the line, as shown below.

Using the olevba it's possible to identify malicious macros and their possible actions.

Attention point:

• May open a file
• May write to a file (if combined with Open)
• May run an executable file or a system command
• May call a DLL using Excel 4 Macros (XLM/XLF)
• May create an OLE object
• May attempt to obfuscate specific strings
• May run an executable file or a system command using Excel 4 Macros (XLM/XLF)
• Base64-encoded strings were detected, which may be to obfuscate strings

Using the PEframe it's possible to get a similar result but without the suspicious points shown by olevba.

Now performing dynamic analysis, I opened the file using the LibreOffice package, and the same generated an alert that the macros can contain viruses.

The content of the file induces the user to enable the "enable edition" option.

To according shown above, with some small steps was possible to perform an analysis and have a conclusion that the file is malicious.

See you in the next analysis :)