MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file
Overview of MalDoc in PDF
PDF 格式的 MalDoc 概述
A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF. If the file has configured macro, by opening it in Word, VBS runs and performs malicious behaviors. In the attack confirmed by JPCERT/CC, the file extension was .doc. Therefore, if a .doc file is configured to open in Word in Windows settings, the file created by MalDoc in PDF is opened as a Word file.
在PDF中使用MalDoc创建的文件可以在Word中打开,即使它具有PDF的幻数和文件结构。如果文件已配置宏,则通过在 Word 中打开它,VBS 将运行并执行恶意行为。在JPCERT/CC确认的攻击中,文件扩展名.doc。因此,如果.doc文件配置为在 Windows 设置中的 Word 中打开,则 MalDoc 在 PDF 中创建的文件将作为 Word 文件打开。
Please watch the below video of this technique, from opening the created file in Word until the communication occurs.
请观看此技术的以下视频,从在Word中打开创建的文件到进行通信。
Details of MalDoc in PDF
PDF 格式的 MalDoc 的详细信息
Figure 1 shows the dump view of the file created by this technique. The attacker adds an mht file created in Word and with macro attached after the PDF file object and saves it. The created file is recognized as a PDF file in the file signature, but it can also be opened in Word.
图 1 显示了通过此技术创建的文件的转储视图。攻击者添加在 Word 中创建的 mht 文件,并在 PDF 文件对象后附加宏并保存它。创建的文件在文件签名中被识别为 PDF 文件,但也可以在 Word 中打开。
Figure 1: Dump view of MalDoc in PDF
图 1:PDF 中 MalDoc 的转储视图
When analyzing a file created with MalDoc in PDF, there is a high possibility that PDF analysis tools such as pdfid[1] cannot detect its malicious parts, as shown in Figure 2. In addition, it should be noted that this file performs unintentional behaviors when opened in Word, while malicious behaviors cannot be confirmed when it is opened in PDF viewers, etc. Furthermore, since the file is recognized as a PDF file, existing sandbox or antivirus software may not detect it.
在分析使用 MalDoc 创建的 PDF 文件时,pdfid[1] 等 PDF 分析工具很可能无法检测到其恶意部分,如图 2 所示。此外,应该注意的是,该文件在Word中打开时会执行无意的行为,而在PDF查看器中打开时无法确认恶意行为等。此外,由于该文件被识别为 PDF 文件,因此现有的沙盒或防病毒软件可能无法检测到它。
Figure 2: pdfid’s analysis results
图2:pdfid的分析结果
Countermeasures against MalDoc in PDF
针对 PDF 格式的 MalDoc 的对策
OLEVBA [2], an analysis tool for malicious Word files, is still an effective countermeasure to this technique. As shown in Figure 3, OLEVBA outputs the embedded macros, and thus the malicious parts of the file can be checked with the tool’s analysis results.
OLEVBA [2],一种针对恶意Word文件的分析工具,仍然是这种技术的有效对策。如图 3 所示,OLEVBA 输出嵌入的宏,因此可以使用工具的分析结果检查文件的恶意部分。
Figure 3: OLEVBA’s analysis results
图3:OLEVBA的分析结果
The below is an example of a detection rule created using Yara rule. In this method, if an Excel file is stored in a PDF file, a warning screen is displayed when Excel starts up, stating that the file extension is different, and the file will not be opened in Excel unless the warning is accepted. Therefore, at the time of the release of this article, it is unlikely that Excel files are used for this technique.
下面是使用 Yara 规则创建的检测规则的示例。在此方法中,如果Excel文件存储在PDF文件中,则在Excel启动时会显示警告屏幕,指出文件扩展名不同,除非接受警告,否则该文件将不会在Excel中打开。因此,在本文发布时,Excel 文件不太可能用于此技术。
rule malware_MaldocinPDF { strings: $docfile2 = “<w:WordDocument>” ascii nocase $xlsfile2 = “<x:ExcelWorkbook>” ascii nocase $mhtfile0 = “mime” ascii nocase $mhtfile1 = “content-location:” ascii nocase $mhtfile2 = “content-type:” ascii nocase condition: (uint32(0) == 0x46445025) and (1 of ($mhtfile*)) and ( (1 of ($docfile*)) or (1 of ($xlsfile*)) ) }
In Closing 结语
The technique described in this article does not bypass the setting that disables auto-execution in Word macro. However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc. Please refer to the Appendix for the C2 information and hash values of the confirmed malware.
本文中介绍的技术不会绕过在 Word 宏中禁用自动执行的设置。但是,由于文件被识别为 PDF,因此如果您使用某些工具、沙盒等执行自动恶意软件分析,则应注意检测结果。有关已确认恶意软件的 C2 信息和哈希值,请参阅附录。
Yuma Masubuchi and Kota Kino
真渊优马和木野幸太
(Translated by Takumi Nakano)
(译 中野拓美)
References 引用
[1] pdfid.py
https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdfid.py
[2] OLEVBA [2] 奥列夫巴
https://github.com/decalage2/oletools/wiki/olevba
Appendix A: C2 information
附录 A:C2 信息
- https[:]//cloudmetricsapp[.]com
https[:]//cloudmetricsapp[.].com - https[:]//web365metrics[.]com
https[:]//web365metrics[.].com
Appendix B: Malware hash value
附录 B:恶意软件哈希值
- ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058
EF59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058 - 098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187
- 5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d
原文始发于増渕 維摩(Yuma Masubuchi):MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file
转载请注明:MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file | CTF导航