Didier Stevens

Wednesday 14 November 2018

Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc — Didier Stevens @ 0:00

I produced a video for my blog post “Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt“:

Thursday 25 October 2018

Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc,My Software — Didier Stevens @ 0:00

VBA macros inside a PowerPoint document are not stored directly inside streams, but as records in the “PowerPoint Document” stream. I have a plugin to parse the records of the “PowerPoint Document” stream, but I failed to extract the embedded, compressed OLE file with the macros. Until a recent tweet by @AngeAlbertini brought this up again. On his sample too I failed to extract the compressed OLE file, but then I remembered I had fixed a problem with zlib extraction in pdf-parser.py. Taking this code into plugin_ppt.py fixed the decompression problems.

VBA macros in a PowerPoint document do not appear directly in streams:

Plugin plugin_ppt parses records found in stream “PowerPoint Document”:

Each line represents a record, prefixed by an index generated by the plugin (to easily reference records). Records with a C indicator (like 1 and 435) contain sub-records. Records prefixed with ! contain an embedded object.

Record 441 (RT_ExternalOleObjectStg) interests us because it contains an OLE file with VBA macros.

Plugin option -s can be used to select this record:

Plugin option -a can then be used to do an hex/ascii dump:

The first four bytes are the size, and then follows the zlib compressed OLE file (as indicated by 0x78).

This OLE file can be decompressed and extracted with option -e, but pay attention to use option -q (quiet) so that oledump will only report the output of the plugin, and nothing else. This can then be piped into a second instance of oledump:

And now we can extract the VBA macros:

oledump_V0_0_38.zip (https)
MD5: C1D7F71A390497A516F67D798BA25128
SHA256: 4CADEE69D024E9242CDA0CE3A9C22BCB1CAFF9D5BA2D946519C6B7C18F895B81

Friday 14 October 2016

Analyzing Office Maldocs With Decoder.xls

Filed under: maldoc,Malware,My Software — Didier Stevens @ 13:27

There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.

Tools: oledump.py, decoder.xls

Sample: 2f918f49c3f926bb1538eaad6e8e6883

Wednesday 8 April 2015

Quickpost: Maldocs: VBA And Pastebin

Filed under: Malware — Didier Stevens @ 20:24

Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.

The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.

The VBA macro downloads base64 encoded scripts from Pastebin:

20150408-220943

20150408-221046

The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.

The URL of the payload comes from another Pastebin entry:

20150408-221533

Correct: that trojan is hosted on Dropbox.


Quickpost info


Monday 1 April 2019

Overview of Content Published in March

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in March:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Sunday 2 December 2018

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 12:32

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Friday 2 November 2018

Overview of Content Published in October

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in October:

Blog posts:

SANS ISC Diary entries:

Tuesday 31 October 2017

Analyzing A Malicious Document Cleaned By Anti-Virus

Filed under: maldoc,Malware — Didier Stevens @ 0:00

@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros:

I’ve seen this once before: this is a malicious document that has been cleaned by an anti-virus program. The macros have been disabled by orphaning the streams containing macros, just like when a file is deleted from a filesystem, it’s the index that is deleted but not the content. FYI: olevba will find macros.

Using the raw option, it’s possible to extract the macros:

I was able to find back the original malicious document: f52ea8f238e57e49bfae304bd656ad98 (this sample was analyzed by Talos).

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:

This can be clearly seen using oledir:

 

Tuesday 4 April 2017

Overview of Content Published In March

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in March:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

Monday 14 November 2016

Overview of Content Published In October

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in October:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Next Page »

Blog at WordPress.com.