Office and OLE File Forensic Analysis Primer – 2

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: Leave a Comment

Office and OLE File Forensic Analysis Primer – 2

This is a continuation of the Office and OLE File Forensic Analysis Primer.


This post will cover the first scenario which is an office DOC file with a malicious macro.

Scenario 1 DOC File:

MD5: f08f126df999f74c52252aeddad5a9e5

  1. Check out the DOC in a hex editor (Keeping track of notable items):
    1. There APPEARS to be a DOCX inside of this file (PK File signature…and the XML structure)

      1. Extracting this shows only theme data (maybe DOC file was saved with newer office software). This kind of information is valuable for attribution.
      2. No Maliciousness found here.
    1. There appears to be macro information

  1. Open the file with 7-zip NOTE THE MACRO (this is a huge red flag):

    1. When traversing into the Macros folder these files should appear:
      1. VBA (Folder) – This is where the compiled code is stored
        1. Opening these files with a hex editor will only give (seemingly random) strings from the code.
      2. PROJECT – This contains important metadata about the macro (name, password, etc)
      3. PROJECTwm – This is also metadata (but less useful)
  1. Get the “RAW CODE” (There are multiple ways to do this).
    1. Use OfficeMalScanner to extract the VBA Project (since all the manual analysis points to this macro)

  1. Now we can analyze the raw macro code Almost all the code is anti-analysis except two things:
    1. In ZACKARY there are wininet.dll calls to InternetOpenA (Reversing the code…would take some time so look at the next note.
    2. The second thing noted is in MICHALE are the ONLY things that are “obfuscated”:

    1. The third thing to note isanXorcallinELDRIDGE
      1. So putting each of the strings from MICHALE into a hex editor (as hex) shows “garbage”
      2. Knowing THE PREVIOUS DATA (xor call, internet call, obfuscated data) a safe assumption is one of the strings is a URI.
      3. Knowing the end data; XOR the obfuscated data to get the XOR KEY so XOR “KELLEY” with this ASCII string http:// and get this partial XOR key “LEMENTE”. Looks familiar?
      4. XOR KELLEY with this repeating XOR key “LEMENTE1FLORENTINO5C” (Note the key shift) and suddenly a call-out is obtained (Stage 2’s are not analyzed).
      5. XOR the other strings and reveal what the executable name runs as (Host IOCs)
  1. Do a REVIEW (Made sure all questions are answered)
    1. Analyzed the embedded DOCX
    2. Analyzed the VBA and grabbed the call-out (With no other questions asked)

To Be Continued…

The next post in this series will cover the second scenario (XLS file).


Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday