Cyber Security Specialist Zoziel Pinto Freire shows an example of malicious file analysis presented during his lecture on BSides-Vitória 2022.
My objective with this series of articles is to show examples of malicious file analysis that I presented during my lecture on BSides-Vitória 2022.
For this first one, I’ll briefly introduce some crucial topics to ease the understanding of the analysis process.
What’re malicious files?
- Files that contains in their internal structure malicious actions that could compromise an environment, account, workstation, server, or user will receive the file.
Some files are more used in attacks
Microsoft Office Documents
- DOC, DOCX, XLS, XLSX, XLSM
Microsoft Office Documents
- From a security point of view files of the types DOC, DOCX, XLS, XLSX, and XLSM, have a common issue, they can contain macros which are embedded scripts that are executed inside the file.
- Often instead of very malicious links, and induce the user to click on something.
Static Analysis x Dynamic Analysis
- Static analysis is done without the execution or opening the file/code.
- Dynamic analysis is done during the execution or opening the file/code.
- PEframe is an open source tool to perform static analysis of malware executables and malicious MS Office documents.
- Example: peframe file_name
- PdfParser, a standalone PHP library, provides various tools to extract data from a PDF file.
- Example: python2.7 pdf-parser.py file_name
- peepdf is a Python tool to explore PDF files to find out if the file can be harmful or not.
- Example: python2.7 peepdf.py file_name
- oletools – python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics, and debugging.
- olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing, and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc).
- Example: olevba file_name
- oleobj is a Python script and module to parse OLE objects and files stored into various MS Office file formats (doc, xls, ppt, docx, xlsx, pptx, etc)
- Example: oleobj file_name
- ExifTool is a platform-independent Perl library plus a command-line application for reading, writing, and editing meta information in a wide variety of files.
- Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
urlscan.io – Website scanner for suspicious and malicious URLs.
MxToolbox supports global Internet operations by providing free, fast, and accurate network diagnostic and lookup tools. Millions of technology professionals use our tools to help diagnose and resolve a wide range of infrastructure issues.
Example 01 – Static Analysis
Note: All tests were executed in a virtual machine with Linux operating system.
Here I’m going to show in practice how we can use some of the tools above to analyze a malicious file.
We start with ExifTool to try to gather information through metadata.
- In the figure above we can identify the name of who made the last modification of the file. (possible attacker name).
- An alleged creator name (username used to create the file).
- In the title, it is possible to identify something as if it were the execution of a file or command, but written in reverse.
When I use the rev command to reverse the output of the ExifTool command it is possible to better understand the line, as shown below.
Using the olevba it’s possible to identify malicious macros and their possible actions.
- May open a file
- May write to a file (if combined with Open)
- May run an executable file or a system command
- May call a DLL using Excel 4 Macros (XLM/XLF)
- May create an OLE object
- May attempt to obfuscate specific strings
- May run an executable file or a system command using Excel 4 Macros (XLM/XLF)
- Base64-encoded strings were detected, which may be to obfuscate strings
Using the PEframe it’s possible to get a similar result but without the suspicious points shown by olevba.
Now performing dynamic analysis, I opened the file using the LibreOffice package, and the same generated an alert that the macros can contain viruses.
The content of the file induces the user to enable the “enable edition” option.
To according shown above, with some small steps was possible to perform an analysis and have a conclusion that the file is malicious.
See you in the next analysis ?
About the author: Zoziel Pinto Freire
Cyber Security Specialist | Forensic Expert | Threat Hunter | BlueTeam | RedTeam | Pentester | Assessment
(SecurityAffairs – hacking, Malicious file analysis)