A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #30395  by BitTwist127
 Thu Jun 01, 2017 1:52 pm
I'm looking into some malware we got via a phish attempt. I've used several tools to look into the PDF (peepdf, pdf-parser). I've found that the pdf has an OpenAction to run javascript. I've tracked down the javascript (fairly well, it bounces around everywhere inside the file). It seems the sample eventually calls: this.exportDataObject({cName:"badfile.mdoc", nLaunch:2});

Seems to me this PDF drops a mdoc file (Macro enabled word file) and then asks the user to open it.

I think the mdoc file is stored in object 14. However, when I pull out object 14 and create a file from it it seems corrupted.

The PDF also has several large javascript sections, I've attached them. One of these functions is a encode / decode function. I'm wondering if the decode function needs to run against the mdoc in some way prior to it being written? It is odd though as I don't see the decode (or encode) functions actually being called anywhere (am I missing it?), so perhaps it is just abandoned code?

I'm also attaching a copy of the malware, please understand the attached PDF is malware. I understand I can attach it here so long as I'm clear that it contains badness.

Can anyone give me some tips on how to get the mdoc file extracted so that I can further my analsis?

PS. this is my first analysis so hopefully I'm not WAY off base...


Thanks for any help/tips!
Attachments
functions from pdf
(5.71 KiB) Downloaded 23 times
notes during analysis
(709 Bytes) Downloaded 20 times
Malware Sample!
(60.84 KiB) Downloaded 27 times
 #30396  by futex
 Thu Jun 01, 2017 3:55 pm
You can extract all the streams with pdfextract command line from origami tool.
As you say, inside there is a word file with a macro, the macro is launch when the file is open in Word, and try to download malware from:

hxxp://oliverkuo.com.au/fgJds2U
hxxp://minnessotaswordfishh.com/af/fgJds2U
hxxp://elateplaza.com/fgJds2U

The sample is here: https://www.virustotal.com/en/file/d5bd ... /analysis/

It's seem to be a ransomware.
 #30397  by BitTwist127
 Thu Jun 01, 2017 6:07 pm
This is great, thank you very much. Do you mind sharing what you used to open the docm file? Was it a analysis tool, or did you just open it from MS Word? (I tried oletools but it failed for me)

EDIT:
I got oledump to open it... looks good, thanks for the pointers.
futex wrote:You can extract all the streams with pdfextract command line from origami tool.
As you say, inside there is a word file with a macro, the macro is launch when the file is open in Word, and try to download malware from:

hxxp://oliverkuo.com.au/fgJds2U
hxxp://minnessotaswordfishh.com/af/fgJds2U
hxxp://elateplaza.com/fgJds2U

The sample is here: https://www.virustotal.com/en/file/d5bd ... /analysis/

It's seem to be a ransomware.
 #30403  by BitTwist127
 Mon Jun 05, 2017 1:01 pm
Nice blog, different C&C than the one I have. Also I tried that very command with peepdf and I don't get a complete file. If I compare the file size with the one I get from the other tool it is several KB smaller. The sample I uploaded above also has obfuscation on writing the stream. Thanks for the feedback though, I'll take another look at exporting with peepdf as it would be nice to be able to use a single tool.






Antelox wrote:You can use just peepdf to extract the docm from the PDF. Check the following blogpost to see how to do it:
https://eternal-todo.com/blog/dridex-sp ... ion-vector
By the way the binary downloaded by the docm is Jaff ransomware.

BR,

Antelox