Sat Oct 05 2024 Pin

960 label.wordCount · 7 label.readTime

Malicious Document Analysis Walkthrough

tech Malware

Table of Contents

Course Files Link to Course Files

Source —> letsdefend.io

Here are the course files for the analysis:

PO-465514-180820.doc.zip

Siparis_17.xls.zip

baddoc.zip

Password: infected

⚠️ Warning: Do not analyze malicious files on your personal or primary machine! Always use a secure, isolated environment like a virtual machine (VM) or a dedicated analysis system to avoid compromising your data and device. Malicious documents can contain dangerous payloads that may harm your system. Stay safe!

Download the files and unzip them.

Linux Command to Extract Files Link to Linux Command to Extract Files

Install p7zip (if it’s not already installed):

BASH

sudo apt-get install p7zip-full

BASH

7z x PO-465514-180820.doc.zip

Question 1. Link to Question 1.

What is the MD5 value of the “/root/Desktop/QuestionFiles/PO-465514-180820.doc” file?

Using Kali Linux, the MD5 value can be obtained by running:

BASH

md5sum PO-465514-180820.doc

View Answer.

d7e6921bfd008f707ba52dee374ff3db

Question 2. Link to Question 2.

What is the file type of /home/analyst/PO-465514-180820.doc? By looking at the file extension, we know it’s a .doc file. You can also verify the file type by running:

BASH

file PO-465514-180820.doc

View Answer.

doc

Question 3. Link to Question 3.

Does the file /root/Desktop/QuestionFiles/PO-465514-180820.doc contain a VBA macro? To check for VBA macros, install oletools and run olevba:

OLE VBA (olevba) is a tool for analyzing Microsoft Office documents, specifically for extracting and analyzing embedded VBA macros. It helps identify potentially malicious code by performing static analysis and detecting suspicious patterns. Commonly used in malware analysis and digital forensics, it supports various Office formats and outputs results in a human-readable format, making it essential for cybersecurity professionals

BASH

1
2

sudo -H pip install -U oletools
olevba PO-465514-180820.doc

If the file contains a macro, you will see macro code details. If not, you’ll get a message like this:

(empty macro) No suspicious keywords or IOC found.

View Answer.

Yes, the file contains a VBA macro

Question 4. Link to Question 4.

What is the macro keyword that triggers the malicious activity in /root/Desktop/QuestionFiles/PO-465514-180820.doc? Run the following to analyze the macros:

BASH

olevba PO-465514-180820.doc

File Contains Micro The macro keyword responsible for the malicious activity is often Document_Open.

View Answer.

Document_Open

Question 5. Link to Question 5.

Who is the author of the file /root/Desktop/QuestionFiles/PO-465514-180820.doc? To find the document’s metadata, including the author, use:

BASH

file PO-465514-180820.doc

sample output

PO-465514-180820.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Ipsum., Author: Alexandre Riviere, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Aug 18 09:19:00 2020, Last Saved Time/Date: Tue Aug 18 09:19:00 2020, Number of Pages: 1, Number of Words: 4, Number of Characters: 24, Security: 0

The output should include details like the title, author, and other metadata. In this case, the author is Alexandre Riviere.

View Answer.

Alexandre Riviere

Question 6. Link to Question 6.

What is the last saved time of the file /root/Desktop/QuestionFiles/PO-465514-180820.doc? To get detailed metadata, including the last saved time, use ExifTool:

ExifTool is a versatile command-line application for reading, writing, and editing metadata in various file formats, particularly images. It supports numerous metadata standards like EXIF, IPTC, and XMP. Key features include batch processing, detailed metadata output, and wide format support. It’s widely used by photographers and digital forensics experts for comprehensive metadata management.

BASH

exiftool PO-465514-180820.doc

ExifTool

View Answer.

2020-08-18 08:19:00

Question 7. Link to Question 7.

From which domain is the file Siparis_17.xls trying to download content? To analyze the macros in the Excel file, run:

BASH

olevba Siparis_17.xls

ExifTool The domain from which the file attempts to download content should be revealed in the output.

View Answer.

hocoso.mobi

Question 8. Link to Question 8.

How many IOCs are in the file Siparis_17.xls according to the Olevba tool? In the Olevba analysis, look for the section labeled Indicators of Compromise (IOCs).

View Answer.

Question 9. Link to Question 9.

What is the domain ending with .kz that the file PO-465514-180820.doc is trying to access? To determine which domain the file is trying to access, upload it to Hybrid-Analysis. After generating a report, navigate to the Relations section to view the DNS requests made. ExifTool

View Answer.

www[.]msbc.kz

Question 10. Link to Question 10.

Which Windows tool is used to make connection requests in the file PO-465514-180820.doc? Using Hybrid-Analysis, you can observe which system tools are involved in making external connection requests. In this case, the tool used is:

View Answer.

powershell.exe

Question 11. Link to Question 11.

How many DNS addresses does the file PO-465514-180820.doc contact? Check the Hybrid-Analysis report for DNS requests made by the file. In this case, it made requests to:

View Answer.

5 addresses

Question 12. Link to Question 12.

What name does the Siparis_17.xls malware document use when saving the downloaded file to the device? Run olevba on the Excel file again and look for the specific name the malware uses when saving the file:

BASH

olevba Siparis_17.xls

View Answer.

6LeGwKmrm.jar

Final Thoughts: This walkthrough demonstrated how to analyze potentially malicious Microsoft Office documents using tools like olevba and ExifTool. These tools help uncover the hidden macros and metadata, revealing the malicious intent of the files..

Thanks for reading!