From Base64 to Reverse Shell: Unpacking Malware from a Word Document
Malware distribution through infected documents, especially Microsoft Word files containing malicious macros, is a common threat. This article explores the process of reversing malware found in a Windows Word document, highlighting the techniques used by attackers and ways to mitigate such threats.
The sample has been download from Malware Bazaar (password: infected).
| Algorithm | Hash |
|---|---|
| SHA256 hash: | ab518a86b77fe842821b50d182b9394d2a59d1c64183a37eb70a6cac100b39f8 |
| SHA3-384 hash: | 39e2053c564f5ebeff0f7c8958b5ffc7d6e8782c81d1e848a5560f799f37f048e049527938485c3f4674e4c4cf2a1055 |
| SHA1 hash: | bd2447a6cfb1812ee7f190c9d92beabcc6976dcb |
| MD5 hash: | 97806d455842e36b67fdd2a763f97281 |
| humanhash: | mountain-grey-lithium-oregon |
| File name: | E-Windows.docm |
Introduction
The malware under investigation is embedded in a Windows Word document as a malicious macro. Macros, typically used to automate tasks in Word, can also be exploited to execute harmful code. The malware employs the "AutoOpen" function, which automatically triggers the macro upon opening the document.
Analysis
Using olevba, we extract information about the malware's intent:
- AutoOpen: Executes the macro upon document opening.
- Uses various Windows libraries for actions like writing, running, and base64 encoding.
- Contains a hardcoded HTTP URL.
olevba.exe -a \.malicious_macro.docm
Next, we utilize exiftool to examine the metadata, where we discover a base64 string appended to the file description.
Having pinpointed the attribute containing the base64 string, we proceed to extract it.
.\exiftool.exe -Description -b -txt .\malicous_macro.docm >description.txt
Examining the string appended to the Description attribute, we observe multiple leading spaces. Checking the file properties, we note that the string is not immediately visible. However, when the user double-clicks the 'comments' properties, the entire string is revealed. This method of concealing malicious code in plain sight is a common tactic used by attackers.
After identifying the file metadata, we extract the macro from the document using olevba. This step is crucial for understanding the malware's operation.
olevba.exe -c .\malicous_macro.docm > mal_macro.vba
Analyzing the extracted macro code, we find two main functions:
AutoOpen: Reads the base64 string from the comments property, decodes it, and executes the command.ExecuteForWindows: Writes the decoded base64 string to the temp directory and attempts to execute it using 'wscript'.
AutoOpen:
ExecuteForWindows:
To safely extract the dropped binary, the execution line containing wscript is commented out, allowing for a closer examination of the binary in the temp directory.
After executing the modified macro code, we locate the dropped binary in the user's temp directory.
By utilizing PEStudio, we confirm the presence of a string referencing C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb in the binary's debug property. From OSINT we find references related to Shellcodes created with Metasploit.
Conclusion
The malware embedded in the Windows Word document is a malicious macro that utilizes the AutoOpen function to automatically execute when the document is opened. It extracts a base64 string from the comments property, decodes it, and executes the command it contains. The malware then uses the ExecuteForWindows function to write the decoded binary to the temp directory of the current user. It attempts to execute this binary using wscript. By commenting out the execution line and running the code, we safely extract the dropped binary. Analysis of this binary reveals a debug property referencing a file path associated with Shellcodes created with Metasploit, indicating the malware's intent to execute shellcode on the infected system.
Patrick Barker