Cybersecurity specialist Zoziel Pinto Freire shows an example of malicious file analysis presented during his talk on BSides-Vitória 2022.
My goal with this series of articles is to show examples of malicious file analysis that I presented during my talk on BSides-Vitória 2022.
For this first one, I will briefly present some crucial topics to facilitate the understanding of the analysis process.
What are malicious files?
- Files that contain in their internal structure malicious actions that could compromise an environment, an account, a workstation, a server or a user will receive the file.
Some files are used more in attacks
Microsoft Office Documents
- DOC, DOCX, XLS, XLSX, XLSM
Microsoft Office Documents
- From a security point of view, files of DOC, DOCX, XLS, XLSX and XLSM types have a common problem, they can contain macros which are embedded scripts that are executed inside the file.
- Often instead of very malicious links, and trick the user into clicking on something.
Static analysis x dynamic analysis
- Static analysis is performed without running or opening the file/code.
- Dynamic analysis is performed when executing or opening the file/code.
- PEframe is an open source tool to perform static analysis of malware executables and malicious MS Office documents.
- Example: peframe file_name
- PdfParser, a standalone PHP library, provides various tools for extracting data from a PDF file.
- Example: python2.7 pdf-parser.py file_name
- peepdf is a Python tool for exploring PDF files to find out if the file may be harmful or not.
- Example: python2.7 peepdf.py file_name
- oletools – python tools for analyzing MS OLE2 (Structured Storage, Compound File Binary Format) files and MS Office documents, for malware analysis, forensics and debugging.
- olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA macros, extract their plain text source code and detect security related patterns such as auto macros -executables, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc.).
- Example: olevba file_name
- oleobj is a Python script and module for analyzing OLE objects and files stored in various MS Office file formats (doc, xls, ppt, docx, xlsx, pptx, etc.)
- Example: file_name oleobj
- ExifTool is a platform-independent Perl library and command-line application for reading, writing, and editing meta information in a wide variety of files.
- Wireshark is the most widely used network protocol analyzer in the world. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard in many commercial and non-profit organizations, government agencies, and educational institutions.
urlscan.io – Website scanner for suspicious and malicious URLs.
MxToolbox supports global Internet operations by providing free, fast and accurate network diagnostic and research tools. Millions of technology professionals use our tools to diagnose and resolve a wide range of infrastructure issues.
Example 01 – Static Analysis
Note: All tests were run on a virtual machine with the Linux operating system.
Here I will demonstrate in practice how we can use some of the above tools to analyze a malicious file.
We start with ExifTool to try to collect information via metadata.
Points of attention :
- In the figure above we can identify the name of the one who made the last modification to the file. (possible name of the attacker).
- An assumed creator name (username used to create the file).
- In the title, it is possible to identify something as if it were the execution of a file or a command, but written backwards.
When I use the rev command to reverse the output of the ExifTool command, the line can be better understood as shown below.
Using olevba, it is possible to identify malicious macros and their possible actions.
Point of attention:
- Can open a file
- Can write to a file (if combined with Open)
- Can run an executable file or system command
- Can call a DLL using Excel 4 macros (XLM/XLF)
- Can create an OLE object
- Can attempt to obfuscate specific channels
- Can run an executable file or system command using Excel 4 macros (XLM/XLF)
- Base64 encoded strings were detected, which may be to hide strings
Using the PEframe it is possible to achieve a similar result but without the suspicious points shown by olevba.
Now performing a dynamic scan, I opened the file using the LibreOffice package, and the same generated an alert that the macros may contain viruses.
The contents of the file prompt the user to enable the “enable editing” option.
As stated above, with a few small steps it was possible to perform a scan and conclude that the file is malicious.
See you in the next analysis 🙂
About the Author: Zoziel Pinto Freire
Cybersecurity Specialist | Forensic expert | Threat Hunter | BlueTeam | Red Team | Pentester | Evaluation
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – piracy, Malicious file analysis)