PDF 格式的 MalDoc 概述
A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF. If the file has configured macro, by opening it in Word, VBS runs and performs malicious behaviors. In the attack confirmed by JPCERT/CC, the file extension was .doc. Therefore, if a .doc file is configured to open in Word in Windows settings, the file created by MalDoc in PDF is opened as a Word file.
在PDF中使用MalDoc创建的文件可以在Word中打开,即使它具有PDF的幻数和文件结构。如果文件已配置宏,则通过在 Word 中打开它,VBS 将运行并执行恶意行为。在JPCERT/CC确认的攻击中,文件扩展名.doc。因此,如果.doc文件配置为在 Windows 设置中的 Word 中打开,则 MalDoc 在 PDF 中创建的文件将作为 Word 文件打开。
Please watch the below video of this technique, from opening the created file in Word until the communication occurs.
请观看此技术的以下视频,从在Word中打开创建的文件到进行通信。
When analyzing a file created with MalDoc in PDF, there is a high possibility that PDF analysis tools such as pdfid[1] cannot detect its malicious parts, as shown in Figure 2. In addition, it should be noted that this file performs unintentional behaviors when opened in Word, while malicious behaviors cannot be confirmed when it is opened in PDF viewers, etc. Furthermore, since the file is recognized as a PDF file, existing sandbox or antivirus software may not detect it.
在分析使用 MalDoc 创建的 PDF 文件时,pdfid[1] 等 PDF 分析工具很可能无法检测到其恶意部分,如图 2 所示。此外,应该注意的是,该文件在Word中打开时会执行无意的行为,而在PDF查看器中打开时无法确认恶意行为等。此外,由于该文件被识别为 PDF 文件,因此现有的沙盒或防病毒软件可能无法检测到它。
针对 PDF 格式的 MalDoc 的对策
OLEVBA [2], an analysis tool for malicious Word files, is still an effective countermeasure to this technique. As shown in Figure 3, OLEVBA outputs the embedded macros, and thus the malicious parts of the file can be checked with the tool’s analysis results.
OLEVBA [2],一种针对恶意Word文件的分析工具,仍然是这种技术的有效对策。如图 3 所示,OLEVBA 输出嵌入的宏,因此可以使用工具的分析结果检查文件的恶意部分。
The below is an example of a detection rule created using Yara rule. In this method, if an Excel file is stored in a PDF file, a warning screen is displayed when Excel starts up, stating that the file extension is different, and the file will not be opened in Excel unless the warning is accepted. Therefore, at the time of the release of this article, it is unlikely that Excel files are used for this technique.
下面是使用 Yara 规则创建的检测规则的示例。在此方法中,如果Excel文件存储在PDF文件中,则在Excel启动时会显示警告屏幕,指出文件扩展名不同,除非接受警告,否则该文件将不会在Excel中打开。因此,在本文发布时,Excel 文件不太可能用于此技术。
rule malware_MaldocinPDF {
strings:
$docfile2 = "<w:WordDocument>" ascii nocase
$xlsfile2 = "<x:ExcelWorkbook>" ascii nocase
$mhtfile0 = "mime" ascii nocase
$mhtfile1 = "content-location:" ascii nocase
$mhtfile2 = "content-type:" ascii nocase
condition:
(uint32(0) == 0x46445025) and
(1 of ($mhtfile*)) and
( (1 of ($docfile*)) or
(1 of ($xlsfile*)) )
}
In Closing 结语
The technique described in this article does not bypass the setting that disables auto-execution in Word macro. However, since the files are recognized as PDFs, you should be careful about the detection results if you are performing automated malware analysis using some tools, sandbox, etc. Please refer to the Appendix for the C2 information and hash values of the confirmed malware.
本文中介绍的技术不会绕过在 Word 宏中禁用自动执行的设置。但是,由于文件被识别为 PDF,因此如果您使用某些工具、沙盒等执行自动恶意软件分析,则应注意检测结果。有关已确认恶意软件的 C2 信息和哈希值,请参阅附录。
Refer
https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdfid.py
https://github.com/decalage2/oletools/wiki/olevba
Appendix A: C2 information 附录 A:C2 信息
-
https[:]//cloudmetricsapp[.]comhttps[:]//cloudmetricsapp[.].com
-
https[:]//web365metrics[.]comhttps[:]//web365metrics[.].com
Appendix B: Malware hash value 附录 B:恶意软件哈希值
-
ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058EF59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058
-
098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187
-
5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d
原文始发于微信公众号(Eonian Sharp):[YA-16] 通过将恶意 Word 文件嵌入到 PDF 文件中来绕过检测