Office Document Analysis

So this is technically a cheater post. I am merely showing you links to things other people have done. However, I found them quite useful in performing analysis of SWF and Office Documents. Maybe I will do a walk thru demoing some of the tools later, but I am on vacation right now :P

If anyone has any more good links for MS Office and Flash analysis I would be interested to see them. Everyone is keen on PDF analysis but Office Documents are still on the radar.

• blog.g-sec.lu: New Advances in OfficeExcelPowerpoint (using pyOleScanner and MalHost)
• Lenny Zeltser: Analyzing Malicious Documents
• Lenny Zeltser: Extracting SWF From PDF Using SWF-Mastah
• Malicious Office File Analysis - Nick Hoffman

I really like OfficeMalScanner now. I have been extracting malicious binaries from Office files, running PEscanner on the output, and the running strings to see what I can find. I have also gotten sick of switching over to Windows to use it so I installed WINE on my REMNux image and then run OfficeMalScanner and MalHost that way.

Happy weekend everyone! By the by... if anyone is EVER in Buffalo (or is in the US and craving British food) go to The English Pork Pie Company.  We went there yesterday, had a Chickken Tikka pie and a Scotch egg... delicicious! :)

Cryptam FTW

I heard about cryptam the other day and thought it seemed pretty badass. Basically it tries out automatically extract exe's from malicious documents. You can grab the information from their blog malwaretracker.com. This bad-boy script can do a few things:

• extract files from plaintext
• extract files from encoded files (via API)
• submit to Cryptam for analysis

If you want to use the script... make sure you have both curl and php installed  (I installed php5-curl and php5-cli)

So lets try it with a sample... why not use the same one we have been using? Our CVE-2009-4324?

As you can see, it was able to extract a file from the PDF. We can now do whatever we like(static/dynamic analysis) with the exe. Lets quickly look at it with a hex dumper (xxd).

And for grins let's see what trid (file identifier) says it is:

remnux@remnux:~$ trid Desktop/CVE-2009-4324_PDF_2009-11-30_note200911.pdf\=1ST0DAYFILE-227169.exe

TrID/32 - File Identifier v2.00/Linux - (C) 2003-06 By M.Pontello
Definitions found:  3887
Analyzing...
Collecting data from file: Desktop/CVE-2009-4324_PDF_2009-11-30_note200911.pdf=1ST0DAYFILE-227169.exe
 68.0% (.EXE) Win32 Executable Generic (8527/13/3)
 15.9% (.EXE) Generic Win/DOS Executable (2002/3)
 15.9% (.EXE) DOS Executable Generic (2000/1)
  0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)

Ok, so REMnux  definitely feels like this is an exe file. Ahh but is it the same EXE that we got from PDFStreamDumper? Lets compare the hashes (I used md5sum):

16e0cb5c63a8c9aaf3d0ce461b92f295  CVE-2009-4324_PDF_2009-11-30_note200911.pdf=1ST0DAYFILE-227169.exe

069175846447506b3811632535395bc3  AdobeUpdate.exe

The hashes are not the same, OK fair enough but how similar are they?? ssdeep to the rescue! If you have never used ssdeep I highly recommend giving it a try, it basically takes two files and determines how similar they are using some fancy maths (context piecewise hashing). Running ssdeep against the files shows them to be awfully similar:

remnux@remnux:~/Desktop$ ssdeep -b AdobeUpdate.exe > adobeHash.txt

remnux@remnux:~/Desktop$ ssdeep -bm adobeHash.txt CVE-2009-4324_PDF_2009-11-30_note200911.pdf\=1ST0DAYFILE-227169.exe  

CVE-2009-4324_PDF_2009-11-30_note200911.pdf=1ST0DAYFILE-227169.exe matches adobeHash.txt:AdobeUpdate.exe (100)

Let's upload the two files into VirusTotal just to check....

Results for exe dropped from PDFStreamDumper (36/41 detected):Report Here
Results for exe extracted using Cryptam (25/40 detected): Report Here

Interestingly enough, we do not get the same results. Because cryptam is doing its best guess in extracting the files, there may be additional information in it (hence the different MD5). If we do an ls we see AdobeUpdate.exe having 172032 bytes and the cryptam extracted exe having 173749 bytes. Different AV vendors flag files differently-- hence different results! I am telling you though, they are the same file...

Still don't believe me? Well for the sake of being thorough I went submitted each exe to malwr.com-- and guess what? Same output :) You can see them below:

• http://malwr.com/analysis/069175846447506b3811632535395bc3/
• http://malwr.com/analysis/16e0cb5c63a8c9aaf3d0ce461b92f295

So now if you are in the *nix world and ran into the issue I had with peepdf running shellcode, try cryptam to see if you can extract the file. This way you don't have to wander into the Windows world...

Now I know what you are thinking-- wouldn't it be great to script this? Stay tuned....

44Con: MFIRE Edition!

Just a quick note I wil be teaching MFIRE: DC44Con Edition in London in early September. There are two days of training (3rd-4th) and then talks from the 5th - 7th. This year paying for training will NOT get you into the talks, so make sure you sign up for both!

See you there :)

PDF Analysis + A Request

I am going to first make my request. Those who know me know I am a bit gaga for photography. One of my pictures was chosen for the exhibition 'London: A Picture of Sustainability'. Please take a second to vote for my photo (if you like it of course!). I was honored to get this far and it would be awesome to be chosen to win! Definitely look at all of them, its neat to see what everyones definition of 'sustainability' is.

All the photographs will be available for sale! I am invited to the Exhibition Opening! What do I wear?! Do I need to suit up?! I thought IRs were stressful....

I can't ask you guys for something without giving something in return... so I present not one, but TWO videos on PDF analysis! I will be looking at one PDF via peepdf (the new version) in REMnux and then in PDFStreamDumper. More than one way to peel a potato :)

The file I am using for this demo is 'CVE-2009-4324_PDF_2009-11-30_note200911.pdf=1ST0DAYFILE' which I grabbed from a malicious document collection from Contagio. What would we do without Contagio?

UPGRADING TO PEEPDF 0.2
If you already have Peepdf, its quite simple  to update. Simply type in:

$sudo peepdf.py -u

Then everything should be lovely jubbley :) If not you can go to where you have peepdf installed (in REMNux its in /usr/local/bin) The PDF and run the command direct from there.

Ok I lied, you need to do a few more things. You need to also install pylibemu and maybe update libemu while you are at it. Jose recommends using git as the sourceforge packages are outdated. Check the readme for other dependencies you may want.

I also was having issues even afte this, peepdf was not seeing my pylibemu library. I noticed when reinstalling everything I did not have python bound to libemu. I did some browsing and this fixed my issue. Thank you Alex from Canada!

If you do not have peepdf you can go to the main site directly and download for your system, or you can even find the older version on REMnux (a great free vm for analysing malware) and simply upgrade it youself!

PDF STREAM DUMPER
I really love this tool as well. I know its' cooler' to use the command line but you know you have to respect a great GUI tool which is amazginly versatile. Again, using the same PDF from peepdf-- I show analysis being done with this windows tool. You can grab the program at the sandsprite website.

Thats all for now folks-- please please please vote in the photo comptetition. And a big thank you to Jose for all your assistance with peepdf! If you ever find yourself in London I owe you a beer :)