Dissecting a Malicious Word Document

In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let’s do a quick analysis on the document…

Here we see the Word document with an embedded object:

2013-04-15_01

Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious.

2013-04-15_02

A little ways down, we can see a NOP sled.

2013-04-15_03

Let’s use OfficeMalScanner to extract the objects and confirm our suspicions.

2013-04-15_04

Looks like we have to use RTFScan instead. RTFScan tell us that there are matching shellcode signatures in the OBJDATA section. Then it dumps a single OLE object and suggests that we run OfficeMalScanner again.

2013-04-15_05

The OLE object is rather small considering the original “file.doc” file is 791KB. Something is wrong. Here’s what the OLE file looks like:

2013-04-15_06

Let’s have a look at the original Word file again. This time we notice the magic for Word in hexcode.

2013-04-15_07

What if we strip away the original RTF headers and make this file look like a Word document? Maybe then OfficeMalScanner can extract the hidden binaries. With a hex editor, we do just that.

2013-04-15_08

Since this is hex, we need to convert it to binary and write it out to a file.

2013-04-15_09

We can open this file called “file.doc_” which has the Word magic at the beginning. Now we copy the rest of the binary code from the original “file.doc” file and paste it to the bottom.
2013-04-15_10

Now let’s run OfficeMalScanner on this modified file using its scan and brute options…and hope this actually works. Great it does!

2013-04-15_11

OfficeMalScanner finds the XOR key and is able to extract two embedded files.

2013-04-15_12

The first file appears to be a Word document.

2013-04-15_13

And opens in Word with a warning.

2013-04-15_14

The other file is an executable.

2013-04-15_15

You can actually do this the long way and carve out the embedded objects from the Word document manually but this would take more time than what’s necessary. Thanks to Frank Boldewin’s tool and a little tweaking, we can get the job done fast!

The exploit used is CVE-2012-0158 and seems to have very good coverage on VirusTotal (31 / 46). Here is the tool I used to recreate the malicious Word document. Actually I found two. It would be irresponsible to share these files so don’t bother asking. Sorry!

Filename: Word-2013.1.8.exe
MD5: ea7084ef5faa8c7721ab163cb6cb58d2

2013-04-15_16

Filename: MS10-087.exe
MD5: 2898479123b90278cfc7b30ddd9c4bd6

2013-04-15_17

This entry was posted in Malicious Email, Tools and tagged , , , , . Bookmark the permalink.