Today I wanted to do a blog post on a malicious Microsoft Word Document that I pulled down from http://iec56w4ibovnb4wc.onion, this is @0xffff0800 repository of malware. It is definitely an excellent resource of malware. So far from what I can tell in my analysis is that this Word document is a downloader, but with that being said it is most likely a test document due to the fact that it is calling out to an internal IP address 192.168.10.18 over port 5555. So I will quickly walk you through how I came to my conclusion.
I downloaded this particular document from the site listed above. I then transferred it over to my Remnux box and performed the file command and got a hash of the file:
Once I determined the type of file file and hash I was dealing with I used oledump to see if their were macros and if there is to dump them out to a file:
Nice, so we do have a Word document that has macros. How I can tell that, is by looking at stream 7 that is earmarked with a “M”. So now that we have the stream number we need to dump, let’s take a look at our macros. To do this I will again use oledump to take a closer look at stream 7.
After dumping out these macros I am pretty certain we are dealing with a malicious document based on the fact that a normal Microsoft Word document is not going to have embedded VBA that calls a base64 encoded PowerShell script.
I then carved out this base64 and copied it to a text file and then ran base64 -d to decode it. There are multiple ways this could have been done either by using Cyberchef or you could have also used Notepad++.
Look what we have here, a nice little PowerShell script that is loading DLL’s and has some embedded shellcode. Let’s see if we can extract that shellcode and see what it is doing. To do this we are going to use the built in debugging features of PowerShell ISE.
What I did here was take the decoded base64 PowerShell script and load it up into PowerShell ISE and set a breakpoint right after the shellcode by right clicking the beginning of the line and toggling the breakpoint. I then ran the script and dumped out the shellcode to a file called sc.bin. The command I used was [io.file]::WriteAllBytes(‘sc.bin’,$z). This takes the shellcode that was stored in the $z variable saves it to a file named sc.bin. Now lets see what our shellcode is doing. To accomplish this I will use the tool scdbg to emulate the shellcode by loading it up and launching it.
Once you click launch a command prompt should pop up.
So it looks like it is loading up Windows networking libraries and trying to call out to an internal IP over port 5555. From here you could use a tool such as jmp2it to run the shellcode and attach it to a debugger if you like. I did attempt this but could not get the process to run correctly in the debugger, but was able to see that it did load mswsock library as well which is another networking library for Windows.
I hope you enjoyed this post and until next time…
5 thoughts on “MagicHoundAPT34 Word Doc Analysis”
LikeLiked by 1 person
Not sure, I couldn’t get it to load up into my debugger, but that would be interesting to look into once I’m able to get it running.
Were you able to determine the OLE dates in the document dirs, and tie that to when the document was actually used?
I didn’t look into that.
That might be helpful, if you have an idea of the time of the campaign, or when the document was delivered…