Tuesday, July 19, 2016

Cybati - Blackbox Challenge #1 - Advanced Mission #13

This post is blog post 13 of 15 of the Cybati Blackbox #1 challenge.

Mission 13:
Mission 13 (10 pts). What malware is contained in the DOCX file?


  1. This mission asks to analyze a DOCX file and determine what malware is contained within the file. Unfortunately, it seems that the generated file with Microsoft Macintosh Word does not correctly work with a few standard Microsoft Office parsing tools. However, an additional tool (olevba.py) does appear to parse this document correctly. Let’s start with following the methodology as described here in this article referenced from Remnux: https://dfir.it/blog/2015/06/17/analysts-handbook-analyzing-weaponized-documents/
  2. Open up a Terminal window and enter in the following command:
    find / -name *.docx | xargs du -sh -b

  3. The previous command searched the entire file system to determine where .docx files are located. We can also see the size of the file and based on this, all “engineering_invoice.docx” files appear to be equal.
  4. Browse to the /opt/CybatiWorks/Labs/office directory and list the contents of the directory

  5. In this directory we see two Python scripts of “officeparser.py” and “oledump.py”. Both tools are referenced in the article mentioned earlier in these steps. If we run both tools as in the screenshots below, we can see the Python scripts have issues with the files.

  6. If we do a “file” on the engineering document, we see brief details of the file

  7. A “docx” file is an archive file comprised of multiple files to present to the user a Word document. Since this is an archive file, we can open it up like a zipped file to see the contents. Let’s create a new subdirectory called “docx” and use the unzip command to inflate the contents of the archive (engineering_invoice.docx) and put them into the “docx” folder.
    mkdir docx
    unzip ./engineering_invoice.docx -d docx

  8. Open up a file browser window and browse to the “office” directory

  9. Double click on “docx” and then feel free to explore the files within. If you go into the “word” folder and double click on the “document.xml” you can see the text within the document suggesting a VBA macro is within the document. But, there are no macro sections with this document.

  10. If we go into the docx/docProps folder and double click on “thumbnail.jpeg” we can see the same message

  11. The Cybati virtual machine does not have olevba.py, but this is available with Remnux. If we use the olevba.py Python script against the engineering_invoice.docx file, we can see that there are no VBA macro sections. You can also download the olevba.py Python script to the Cybati virtual machine if desired.

  12. We can download a sample file from the Internet and see if that file performs as expected with the tools. For this example, a quick Google search for a sample Word document produced this link: https://www.k-state.edu/grad/etdr/template/mastersinstructions.doc. You can use this or another file and perform the same analysis as below. Save this file or another sample file to the same “office” directory.

  13. In Terminal, do a “file” on the sample document

  14. Already from the above we can see that “file” is able to retrieve more information about the sample document. Let’s try the first analysis tool on the sample document.
    ./officeparser.py mastersinstructions.doc -t

  15. From the help file on the program, -t performs:

  16. It appears that these tools do not perform as expected with Microsoft Word documents generated from the Apple Mac platform version of Microsoft Word. Regardless, there appears to be no macro code nor was anything flagged in Malwr nor VirusTotal.
  17. The oledump.py Python script also produces information as well

  18. From the article, we can see that oledump.py would mark sections with VBA code, but this sample document does not appear to contain any VBA macro code.
  19. Unfortunately, we do not have the appropriate document to find the answer to Mission 13

No comments:

Post a Comment