Microsoft Office Files are exploited for social engineering lures (especially Excel and Word), as these file formats are highly preferred by the public. The users are comfortable because the applications used to access these files are ubiquitous.
Recently, a malware was isolated by HP research team due to its unique infection chain which was carried through a PDF document.
The threat actor depends on several strategies to dodge detections such as Shellcode Encryption, embedding of malicious files, running remotely hosted exploits. Using the format of PDF Documents to target a victim is out of the ordinary .
At First, “Remittance.pdf” is sent to the target as an e-mail attachment. If the target falls prey and clicks on the attachment, the document will be downloaded.
And when this document is opened, Adobe Reader prompts the victim to open a “.docx” file. This .docx file has been cleverly named as “has been verified. However PDF, jpeg, xlsx, .docx” to trick the user that is a part of the Adobe Reader Prompt.
It was revealed by researchers that the .docx file is stored as an Embedded File Object after analyzing with the help of Didier Stevens’ “pdfid” script. This script scans the PDF document for any codes or keywords that execute upon running.
To analyze the embedded file further in its fundamentals, “pdf-parser” from Didier Stevens’ toolbox is used. This script allows the investigator to extract the file from the PDF document and save it in the disk.
When the ‘.docx‘ file is opened, it downloads the .rtf file from a web server. Since the word document is an OOXML file, its contents can be unzipped and the URLs using the command are given in the below image.
The URL pointed in the above image, is not a legitimate domain found in the Office Documents. This URL is in the document.xml.rels file, which lists the document’s relationships. The relationship here, shows an external object linking and embedding (OLE) object being loaded from this URL as below.
Connecting to this URL leads to a redirect and then downloads an Rich Text Format document called f_document_shp.doc. For further analysis, rtfobj was used to check its contents for any OLE Objects.
EMBEDDED OLE OBJECTS
As Shown Above, there are two OLE objects that can be saved to a disk using the same tool. indicated, both objects are not well-formed, so analyzing them could lead to confusing results.
So, to fix this the objects can be reconstructed as the malformed objects. After viewing the fundamentals of the objects using the oleid, it is found that the object relates to Microsoft Equation Editor – a feature in Word that is commonly exploited by attackers to run arbitrary code.
After examining the OLE Object, it is disclosed a shellcode that exploits the CVE-2017-11882– a remote code execution vulnerability- in Equation Editor.
The shellcode was cached in the OLENativeStream structure at the tail of the object. Using a function to locate the Shell Code in the memory by itself.
Without any further action, the researchers predict that the malware downloads an executable file called fresh.exe, a Snake Keylogger and runs it in the public user directory using ShellExecuteExW. The Snake Keylogger is an info-stealing malware, it also gives threat actors an option to select and configure desired features that generate different payloads.
INDICATOR OF COMPROMISE
has been verified. however pdf, jpeg, xlsx, .docx
fresh.exe (Snake Keylogger)
External OLE reference URL
External OLE reference final URL
Snake Keylogger payload URL
Snake Keylogger exfiltration via SMTP