[SANS ISC] .docx With Embedded EXE, (Sun, Aug 22nd)

I received a malicious document sample, a .docx file: c977b861b887a09979d4e1ef03d5f975f297882c30be38aba59251f1b46c2aa8.

If you are familiar with maldocs, you know that .docx files do not contain VBA macros.

What is hiding in this maldoc, is just 2 embedded files:

In the command above, I just use my zipdump.py tool to peek into the .docx file (OOXML files like .docx files are ZIP containers).

Embedded files are stored as OLE files inside OOXML files. Thus one can use my oledump.py tool to analyze them:

Remark the two O indicators: they tell us there is an embedded object inside that stream (streams A2 and B2).

More info about embedded objects can be obtained with option -i:

We have quite some information here. First of all, the hashes of both files are identical, thus the file was embedded twice.

The original name of the embedded file is LoadSupportingFiles.exe, and it comes from a user ray who keeps their payloads on their desktop.

The first 2 bytes (MZ) indicate that this is most likely a Windows executable.

We can extract the file with option -e, and pass it to my tool pecheck.py for example, to verify that it is a PE file:

I also opened the file with Word inside a sandbox, to see how it looks:

Interestingly, when I follow the instructions, I’m prevented from executing the program. This happens even on an outdated machine (Windows 7 without AV and running Office 2016 patched in October 2020):

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[TheRecord] Researchers, NSA cybersecurity director warn of hackers targeting Zyxel vulnerability

A widespread, critical vulnerability affecting Zyxel firewalls is being exploited by hackers, according to several researchers and the director of cybersecurity for the NSA.  Cybersecurity nonprofit Shadowserver Foundation said it began seeing exploitation attempts starting on May 13. CVE-2022-30525 was first discovered by cybersecurity firm Rapid7 and the firewalls affected by the vulnerability are sold […]

Read More

[HackerNews] 11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells

All posts, HackerNews

Cybersecurity researchers have uncovered as many as 11 malicious Python packages that have been cumulatively downloaded more than 41,000 times from the Python Package Index (PyPI) repository, and could be exploited to steal Discord access tokens, passwords, and even stage dependency confusion attacks. The Python packages have since been removed from the repository following responsible […]

Read More

[SecurityWeek] Eureka Emerges From Stealth With Cloud Data Security Platform

All posts, Security Week

Israel-based startup Eureka on Wednesday announced emerging from stealth mode with a cloud data security posture management platform and $8 million in seed funding. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.