For today’s post, I’m going to take a look at another suite of tools to assist in malware analysis, OfficeMalScanner. I’ve had these tools in my arsenal for quite some time, and have found them extremely useful for very quick Office document analysis. They are great triage tools I’d recommend as one of the first steps for a suspicious Office document. This will not be a long post, but that’s the beauty of the tools!
The OfficeMalScanner suite includes:
- OfficeMalScanner — Analyze office documents, including pre- and post-Office 2007 (doc vs docx)
- RTFScan — Similar to OfficeMalScanner, however built to analyze files with the Rich Text Format (.rtf) structure.
- DisView — Used for disassembling shellcode within a document.
- MalHost-Setup — A tool that “hosts” (apt name!) shellcode embedded in a document file. The goal of this particular tool is to assist reverse engineers and malware analysts in not having to deal with memory space of Office applications, and instead host malicious shellcode and have a much smaller area of analysis.
Let’s take a look at using OfficeMalScanner.
OfficeMalScanner
The purpose of the OfficeMalScanner is to scan Office documents and extract items such as shellcode and VBA macros. It can handle both doc and docx formats, and offers an inflate option to decompress the *x (Office 2007+) formats, such as docx, xlsx, etc. Here’s a screenshot of the help menu:
My typical usage involves either scan or info, depending on how the document is being abused. However, in some cases where encrypted data is at play, you may need to resort to brute which when used in combination with scan, uses brute forcing to find encrypted shellcode. Brute forcing actually scans for XOR, ADD, and ROL keys:
I don’t dig into the debug option here, but as you can see from above it provides hex output if a shellcode heuristic is tripped.
I grabbed a sample malicious document over at Hybrid-Analysis.net for testing. Here’s a sample of using the command:
OfficeMalScanner.exe C:\Excluded\781f23ba044168e6f724d861e3d58a8112519b81e313f41396c4c1b0b76b8db8.bin scan
Notice that when we use the scan option, the tool comes back with no malicious data within. However, it does recommend running the info option as well. I love when tools give you a second route! Let’s look at that output:
OfficeMalScanner.exe C:\Excluded\781f23ba044168e6f724d861e3d58a8112519b81e313f41396c4c1b0b76b8db8.bin info
Bingo! Now this output looks a little better! Notice that the tool found VBA code and has extracted those documents for us. Let’s look at each one:
ThisDocument
Hrm..the terms clapgarment and forkhorn definitely stand out to me as odd. Let’s see if the other is more interesting.
Module1
Now this just doesn’t feel right. This output section is actually 114 lines, so to save space I’m just providing a screenshot of the first 50 lines or so. However, one of the key takeaways is that we have a lot of…”plain” terms within this document. This is actually an interesting form of obfuscation, because there’s no extreme patterns of text. Most likely this text follows a somewhat normal distribution. Look more closely:
Notice there are terms such as canceldignity, coursefetch, cigarjuice, and gunrack. You’d be correct if you’re saying to yourself “This is not malicious code at face value”. We usually want to bite onto something crazy like “powershell.exe” or “wscript.exe”. It’s not always that easy!
Let’s have a look at what the document does when it was opened and this code was fully executed:
Well well, that looks completely different from words like gunrack and casinopumpkin. It’s likely that the attacker used a form of obfuscation which, as described above, filled the document with normal words that most likely could evade detection. We could take time to step through each phase of the VBA and see how the code is constructed, however in this case I’ll let the sandbox do it’s work for us.
Luckily, A/V caught onto this one immediately.
If you’re finding yourself doing Office document analysis, I’d recommend keeping this suite of tools around as an initial triage step. As I’ve shown above, it’s quick and simple to scan through and look for any low-hanging fruit of VBA or shellcode. Additionally, the tool can help find encrypted sections which may, at a minimum, say “start here”.
Until tomorrow, Happy Forensicating!
