Didier Stevens

Friday 27 March 2015

oledump And XML With Embedded OLE Object

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

I updated oledump to handle a new type of malicious document: an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file.

And the man page is finished. Run oledump.py -m to view the man page.

The sample I’m using here is 078409755.doc (B28EF236D901A96CFEFF9A70562C9155). The extension is .doc, but it is an XML file, not an OLE file.

First check:

20150326-201918

The XML file contains an OLE file with 1 stream.

Let’s take a look inside the stream:

20150326-202105

Byte 0x78 could be the start of a ZLIB compressed data stream. Let’s checks this with option –decompress:

20150326-202544

It is indeed ZLIB compressed, and the decompressed data seems to be another OLE file (D0 CF 11 E0).

So let’s pipe this decompressed OLE file into a second instance of oledump:

20150326-203457

This OLE file contains an embedded object (Ole10Native). Let’s have a look:

20150326-203709

It seems to be a .VBS file. Let’s have a look:

20150326-203953

So this looks like VB Script with base64 strings. Let’s try to decode them with a plugin:

20150326-204225

So now it’s clear what this maldoc does: launch PowerShell, download a file and store it as a .cab file in a temporary folder. Expand the downloaded .cab file to an .exe file, and then launch the .exe file. In other words, it is a downloader.

oledump_V0_0_13.zip (https)
MD5: 6651A674F4981D9AEDE000C1F5895B69
SHA256: 4452DF48F7D852140B4CD662AD95C6BC695F5F04009B37A367EB392384935C51

Wednesday 18 March 2015

Update: peid-userdb-to-yara-rules.py

Filed under: My Software,Update — Didier Stevens @ 0:00

Just some small changes.

peid-userdb-to-yara-rules_V0_0_2.zip (https)
MD5: BE287BE1CB4EAFC360B1105C47F81819
SHA256: DC673DC90420F880EBDC8A0298410B3B8D90AFBCCE868A3E075DB5AAF898A188

Tuesday 17 March 2015

Update oledump.py Version 0.0.12

Filed under: Malware,Update,My Software — Didier Stevens @ 0:00

This update adds support for metadata and fixes an XML parsing bug.

20150314-110037

oledump_V0_0_12.zip (https)
MD5: 0AB5F77A9C0F1FF3E8BE4F675440A875
SHA256: 6F87E65729B5A921079B9E5400F63BE6721673B7AC075D809B643074B47FB8D3

Friday 27 February 2015

Update oledump.py Version 0.0.10

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This version handles corrupt VBA macro streams without crashing. Corrupt VBA macro streams are marked with an E indicator (error).

And an update to the plugin_http_heuristics and plugin_dridex plugins.

oledump_V0_0_10.zip (https)
MD5: 450C28232254F8FF3AF5E289F58D2DAB
SHA256: 139671E5E69200CECCE0EF730365C1BF1B7B8904B90E3B1E08E55AB040464C73

Thursday 19 February 2015

Update: oledump.py Version 0.0.9

Filed under: Malware,My Software,Update — Didier Stevens @ 22:19

The plugin_dridex plugin was updated.

And oledump.py has a new option: –quiet: only print output from plugins.

oledump_V0_0_9.zip (https)
MD5: 849C26F32397D2508381A8472FE40F90
SHA256: 74887EA3D4362C46CCBF67B89BB41D7AACE9E405E4CB5B63888FEDCE20FD6A07

Tuesday 17 February 2015

Update: oledump.py Version 0.0.8

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This new version brings support for multiple YARA rule files.

The plugin_http_heuristics plugin was updated, and there is a new plugin: plugin_dridex.

oledump_V0_0_8.zip (https)
MD5: 29EBF73F5512B0BC250CD0A0977A2C72
SHA256: 09C451116FCDE7763173E1538C687734D92267A0D192499AFD118D8D923165B9

Monday 16 February 2015

Update EICARgen Version 2.1

Filed under: My Software,Update — Didier Stevens @ 0:00

Version 2.1 of EICARgen can create an Excel spreadsheet (.xls) with the EICAR test file embedded with OLE.

Sunday 15 February 2015

Update: YARA Rule JPEG_EXIF_Contains_eval

Filed under: Forensics,Malware,Update — Didier Stevens @ 11:21

Now that YARA version 3.3.0 supports word boundaries in regular expressions, I’ve updated my YARA Rule for Detecting JPEG Exif With eval().

yara-rules-V0.0.5.zip (https)
MD5: 298EB636B3A3CB6A073815A83A6D1BA6
SHA256: EA00D044A3A0FE29265817407E382034593E0DAAD9887416E7FC128DA24B8830

Tuesday 10 February 2015

Update: oledump.py Version 0.0.7

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This new version adds support for the new office file format (.docx, .xlsx, …) stored inside a ZIP file (so a ZIP inside a ZIP) and an option to print YARA strings.

And the HTTP heuristics plugin has some extra heuristics.

oledump_V0_0_7.zip (https)
MD5: 7A953BAFFA1E5285651699996FA2DF84
SHA256: F5DC5F650F005E530A7D0CF510C33E3A4EF29AD85B1DA2618B237F53A46B86B5

Friday 16 January 2015

Update: oledump.py Version 0.0.6

Filed under: Malware,My Software,Update — Didier Stevens @ 16:11

My last software release for 2014 was oledump.py V0.0.6 with support for the “ZIP/XML” Microsoft Office fileformat and YARA.

In this post I will highlight support for the “new” Microsoft Office fileformat (.docx, .docm, .xlsx, .xlsm, …), which is mainly composed of XML files stored inside a ZIP container. Except macros which are still stored with OLE files (inside the ZIP container).

When oledump.py detects that the file is actually a ZIP file, it searches through all the files stored inside the ZIP container for OLE files, and analyses these.

Here is an example of a simple spreadsheet with macros. The xlsm file contains one OLE file: xl/vbaProject.bin. oledump gives it the identifier A. All the streams inside the OLE file are reported, and their index is prefixed with the identifier (A in this example).

20150112-232122

If you want to select the stream with the macros, you use A6, like this: oledump.py -s A1

oledump also supports the analysis of an OLE file stored in a password protected ZIP file (typically, malware samples are stored inside ZIP files with password infected). When oledump.py analyses a ZIP file with extension .zip, it assumes that the file is NOT using the “new” Microsoft Office fileformat. Only when the file is a ZIP file but the extension is not .zip does oledump assume that the file is using the “new” Microsoft Office fileformat.

I have another example in my Internet Storm Center Guest Diary Entry.

oledump_V0_0_6.zip (https)
MD5: E32069589FEB7B53707D00D7E0256F79
SHA256: 8FCEFAEF5E6A2779FC8755ED96FB1A8DACDBE037B98EE419DBB974B5F18E578B

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 262 other followers