From Base64 to Reverse Shell: Unpacking Malware from a Word Document

From Base64 to Reverse Shell: Unpacking Malware from a Word Document

Malware distribution through infected documents, especially Microsoft Word files containing malicious macros, is a common threat. This article explores the process of reversing malware found in a Windows Word document, highlighting the techniques used by attackers and ways to mitigate such threats.

The sample has been download from Malware Bazaar (password: infected).

Algorithm Hash
SHA256 hash: ab518a86b77fe842821b50d182b9394d2a59d1c64183a37eb70a6cac100b39f8
SHA3-384 hash: 39e2053c564f5ebeff0f7c8958b5ffc7d6e8782c81d1e848a5560f799f37f048e049527938485c3f4674e4c4cf2a1055
SHA1 hash: bd2447a6cfb1812ee7f190c9d92beabcc6976dcb
MD5 hash: 97806d455842e36b67fdd2a763f97281
humanhash: mountain-grey-lithium-oregon
File name: E-Windows.docm

Introduction

The malware under investigation is embedded in a Windows Word document as a malicious macro. Macros, typically used to automate tasks in Word, can also be exploited to execute harmful code. The malware employs the "AutoOpen" function, which automatically triggers the macro upon opening the document.

Analysis

Using olevba, we extract information about the malware's intent:

  • AutoOpen: Executes the macro upon document opening.
  • Uses various Windows libraries for actions like writing, running, and base64 encoding.
  • Contains a hardcoded HTTP URL.
olevba.exe -a \.malicious_macro.docm

Next, we utilize exiftool to examine the metadata, where we discover a base64 string appended to the file description.

Having pinpointed the attribute containing the base64 string, we proceed to extract it.

.\exiftool.exe -Description -b -txt .\malicous_macro.docm >description.txt

Examining the string appended to the Description attribute, we observe multiple leading spaces. Checking the file properties, we note that the string is not immediately visible. However, when the user double-clicks the 'comments' properties, the entire string is revealed. This method of concealing malicious code in plain sight is a common tactic used by attackers.

After identifying the file metadata, we extract the macro from the document using olevba. This step is crucial for understanding the malware's operation.

olevba.exe -c .\malicous_macro.docm > mal_macro.vba

Analyzing the extracted macro code, we find two main functions:

  • AutoOpen: Reads the base64 string from the comments property, decodes it, and executes the command.
  • ExecuteForWindows: Writes the decoded base64 string to the temp directory and attempts to execute it using 'wscript'.

AutoOpen:

ExecuteForWindows:

To safely extract the dropped binary, the execution line containing wscript is commented out, allowing for a closer examination of the binary in the temp directory.

After executing the modified macro code, we locate the dropped binary in the user's temp directory.

By utilizing PEStudio, we confirm the presence of a string referencing C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb in the binary's debug property. From OSINT we find references related to Shellcodes created with Metasploit.

Conclusion

The malware embedded in the Windows Word document is a malicious macro that utilizes the AutoOpen function to automatically execute when the document is opened. It extracts a base64 string from the comments property, decodes it, and executes the command it contains. The malware then uses the ExecuteForWindows function to write the decoded binary to the temp directory of the current user. It attempts to execute this binary using wscript. By commenting out the execution line and running the code, we safely extract the dropped binary. Analysis of this binary reveals a debug property referencing a file path associated with Shellcodes created with Metasploit, indicating the malware's intent to execute shellcode on the infected system.

Reference:

Powershell Empire — You Can Run, but You Can’t Hide
256: 82a73b268dca7cc0678aba4deb06a7b41bd6e17d72927217113992be1eec7546