Dissecting a Malicious Word Document

In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let's do a quick analysis on the document...

Here we see the Word document with an embedded object:

Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious.

A little ways down, we can see a NOP sled.

Let's use OfficeMalScanner to extract the objects and confirm our suspicions.

Looks like we have to use RTFScan instead. RTFScan tell us that there are matching shellcode signatures in the OBJDATA section. Then it dumps a single OLE object and suggests that we run OfficeMalScanner again.

The OLE object is rather small considering the original "file.doc" file is 791KB. Something is wrong. Here's what the OLE file looks like:

Let's have a look at the original Word file again. This time we notice the magic for Word in hexcode.

What if we strip away the original RTF headers and make this file look like a Word document? Maybe then OfficeMalScanner can extract the hidden binaries. With a hex editor, we do just that.

Since this is hex, we need to convert it to binary and write it out to a file.

We can open this file called "file.doc_" which has the Word magic at the beginning. Now we copy the rest of the binary code from the original "file.doc" file and paste it to the bottom.

Now let's run OfficeMalScanner on this modified file using its scan and brute options...and hope this actually works. Great it does!

OfficeMalScanner finds the XOR key and is able to extract two embedded files.

The first file appears to be a Word document.

And opens in Word with a warning.

The other file is an executable.

You can actually do this the long way and carve out the embedded objects from the Word document manually but this would take more time than what's necessary. Thanks to Frank Boldewin's tool and a little tweaking, we can get the job done fast!

The exploit used is CVE-2012-0158 and seems to have very good coverage on VirusTotal (31 / 46). Here is the tool I used to recreate the malicious Word document. Actually I found two. It would be irresponsible to share these files so don't bother asking. Sorry!

Filename: Word-2013.1.8.exe
MD5: ea7084ef5faa8c7721ab163cb6cb58d2

Filename: MS10-087.exe
MD5: 2898479123b90278cfc7b30ddd9c4bd6

Posted on: 04/15/2013