Professional Documents
Culture Documents
with OfficeMalScanner
Version: 1.0
1 ABSTRACT ................................................................. 3
5 MALHOST-SETUP ......................................................15
6 CONCLUSION ............................................................19
7 REFERENCES .............................................................19
The next step I have started was to find some documentation about the
file format itself and how to parse its structure. This time I had much
more luck, as Microsoft was kind enough to release some very detailed
papers about the format specs here [5] and here [6]. This helped me a lot
to write my own forensic tool OfficeMalScanner [7]. In the following
pages, I will describe in detail what can be done with this forensic utility.
Be aware that the OfficeMalScanner only scans the older office binary file
formats. Office 2007 and newer uses a XML based structure and it is very
easy to look inside these files. You can open files with extensions like
docx, pptx, xlsx, docm, pptm and so forth with WinZip or Winrar and then
open these files again with a normal text editor to see what’s inside.
Solitary exceptions are files containing VB macros (docm, pptm and xlsm).
Next to the usual XML files, you should find a file called vbaproject.bin
This file contains the compressed VB macrocode, which is not XML, but in
old binary files format style. You can extract this file and then scan it with
OfficeMalScanner to uncompress the VB macrocode data. However, this
will be described in detail later in this paper.
The last notable tool before we start comes from Microsoft and was
released only some days ago. It is called OffVis [8] and is a very nice
MSOffice file format defragmentation util. Even if it is still in a “Beta”
status, yet I suggest you to give it a try as well.
The “SCAN” feature scans the entire malicious file for generic shellcode
patterns. Here is a list of all currently implemented checks.
GetEIP (4 Methods)
CALL NEXT
NEXT: POP reg
-------------------------------------------
JMP [0xEB] 1ST
2ND: POP reg
1ST: CALL 2ND
-------------------------------------------
JMP [0xE9] 1ST
2ND: POP reg
1ST: CALL 2ND
-------------------------------------------
FLDZ
FSTENV [esp-0ch]
POP reg
LOOP: LODSB
TEST al, al
JZ short OK
ROR EDI, 0Dh or ROR EDI, 07h
ADD EDI, EAX
JMP short LOOP
OK: CMP EDI, ...
Suspicious strings
UrlDownloadToFile
GetTempPath
GetWindowsDirectory
GetSystemDirectory
WinExec
IsBadReadPtr
IsBadWritePtr
CreateFile
CloseHandle
ReadFile
WriteFile
SetFilePointer
VirtualAlloc
GetProcAddr
LoadLibrary
LODS(x)
XOR or ADD or SUB or ROL or ROR
STOS(x)
Signature: \xD0\xCF\x11\xE0\xA1\xB1\x1a\xE1
Function Prolog
PUSH EBP
MOV EBP, ESP
SUB ESP, <value> or ADD ESP, <value>
Offset 0x0 == MZ
Offset 0x3c == e_lfanew
Offset e_lfanew == PE
INDEX SCORING
Executables 4
Code 3
Strings 2
OLE 1
The “INFO” mode dumps OLE structures, offsets and length and saves
found VB-Macro code to disk.
To dump the VB macrocode to disk I use the Microsoft OLE API and some
tricky parsing, as well as macro decompression by using the
undocumented RtlDecompressBuffer() function from NTDLL.DLL
Figure 4.1:
As you can see, the usage of this tool is very easy and next to the
description of “options” and “switches”, also examples are given as well.
Figure 4.2:
Figure 4.3:
Figure 4.4:
Next to typical shellcode based MSOffice exploits there also exist malicious
documents containing evil VB macrocode. To reveal such stuff we can use
the “INFO” option as seen in figure 4.5
Figure 4.5:
Watch the flash video “VB macrocode debugging” to learn how to debug
such malicious codes and drop the PE-file in a save way.
Figure 5.1:
As you can see the shellcode enumerates through the file handle values,
first tries to detect a valid file handle using the GetFileSize function, and if
true, it checks for its file size. If it matches 0xec600, the shellcode knows
he is inside itself and drops an encrypted PE-file from some offset and
executes it.
Usually some MSOffice executable like winword.exe or powerpoint.exe is
the host for such documents, but if we try to avoid calling some MSOffice
product for testing, we can use MalHost-Setup.
Figure 5.2:
Figure 5.3:
Figure 5.4:
As already mentioned above you can use the “WAIT” option to patch the
shellcode-start. Be sure to write down the original bytes MalHost-Setup
prints out to console for re-patching in the debugging session (see figure
5.5). If you start the 0xeb 0xfe patched outfile.exe now, it loops forever
and waits for debugger attaching, e.g. in Ollydbg just attach to
outfile.exe, press the “run” button and right after this the “pause” button
and you should be at the 0xeb 0xfe loop. Now just re-patch the bytes to
the original ones and start your debugging session.
Figure 5.5:
7 References
Thanks to Bruce Dang, Elia Florio, Michael Hale Ligh and Michael Sandee
for suggestions and ideas.