I always worked for the red team but as I was going through my spam folder this morning I decided I’d give a try at analyzing malicious attachments. I also secretly always wanted to check out Didier Stevens’ oledump tool so this was a good excuse :)
The mail looked like this:
The attachment is a file named New.gz allegedly containing the “Terms of reference” Mihail is talking about.
Malicious attachment fingerprinting
So let’s dive in ! I launched a VM and ran some basic checks on the file. binwalk tells us that the file is actually a RAR archive, even though the extension says .gz
The archive contains a document named New.doc, apparently a Microsoft Office document:
Malicious attachment analysis
I can finally try oledump !
We can see that there is a VBA macro on stream 7, let’s extract it with oledump:
The VBA payload contains a shit load of “obfuscated” code but we can find the interesting part by pinpointing where the call to Shell happens. We can see in the excerpt below that the argument provided to Shell is a concatenation of the sraqteby array elements. Yes, there are some array indexing bullshit. I doubt this ever made reversing difficult :D
I opened a Python interpreter and executed the code below to get the argument provided to Shell:
Which gave me the following one-liner that downloads an executable with PowerShell and executes it (URL escapes are mine):
Let’s hash it !
Submitting the hash to VirusTotal, we can see it’s already detected as a Trojan by some AV. Some analyst provided the download URL in comments.
That’s all for now, I’m not good enough at reversing Windows executables to go further :)