Subpoena Adam Sisitsky_4291016.doc
Date: 04/29/2016
Filename:
Subpoena Adam Sisitsky.doc
SHA-256 Hash Value:
f7d3f54785ffe118504400f1c33e03608f31760fbdee040d1367ed0d73fe302f
Overview
Today I was tasked with looking at a suspicious word document. So I started up my analysis system and got to work.
First I start off by fingerprinting the document.
File Type:
Meta Info:
Document Overview:
Under the Hood:
After profiling the document, I stared to inspect the embedded macros
And of course the code was heavily obfuscated.
This is where things got interesting.
Since most of these malicious documents are done by a Kit, I copied a public function name into google to see if there were any hits.
https://www.google.com/?gws_rd=ssl#q=yj5zhKqBmrCl9PP%28%29&filter=0
I got hit after hit after hit. Holy crap I said to myself.
This document also uses the Document_Open command which allows the macros to run when the document is opened.
Script Inspection:
It
checks for hardware information of the infected computer system to
identify if it’s being analyzed in a virtual environment.
It
also collects information about running processes to identify if there
are any analysis tools running in memory, such as Wireshark, snort, and
process explorer.
Once the script verifies that the infected
system is not an analysis system, it makes an HTTP GET requests to
chienenforme.com/img/doc.exe
Dynamic Analysis:
In my opinion it's much easier to analyze Macro Code dynamically then it is statically due to a rising problem with tools not able to handle evolving data obfuscation techniques.
Dynamic part 1
I have been playing with this script, which hooks into process and outputs the Execution Flow.
Spooky-Hook.py
Hook 1.
Hook 2.
Hook 3.
Result.
Domain Inspection:
Interesting, these servers have been around for sometime:
Comments
Post a Comment