Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Training 3: Identify Office Malware anti-analysis methods
- Office malware sample (for education purpose) with 15 anti-analysis methods created by - Greg Linares @laughing_mantis & Dagmar Knechtel @digbei
- https://www.virustotal.com/en/file/d49b2f735d5d4334653d705cb0ff837af88a4981253fb68c6d927745d97a1b3f/analysis/1498586723/
- Download link for those without VirusTotal Pro account. The .RAR password is: infected666
- https://drive.google.com/file/d/0B9382tXe9pdKZFZNLUJCVTV2Vm8/view
- Analysis of sample by @JohnLaTwC aka. John Lambert, General Manager of Microsoft Threat Intel Centre
- https://pastebin.com/fmkRDeVM
- 1. Runs on Document_Close
- 2. Use of comments to hide from visual inspection: e.g. ' Legacy User Account Support - Feb 2017 - See Help Notes For Documentation
- 3. Storing function names in document variables. e.g. ThisDocument.Variables.Item("RegisterProduct") == Run
- 4. Indirect execution. e.g. CallByName to Application.Run to invoke User_Sync
- 5. Use of conditional execute to not run #If Not Win32 Then #If Mac = 1 Then
- 6. Check on input file name length. e.g. is it a hash? If Len(Me.Name) > 16 Then
- 7. Use of Application.OrganizerRename to rename the VBA project to impair debugging (e.g. https://twitter.com/Laughing_Mantis/status/759069904104361984)
- 8. Check to abort if Microsoft Visual Basic For Applications window is visible
- 9. Use of AppSendMessage (aka Task.SendWindowMessage) &H10, 1, 0 and &H2, 1, 0 to Save and exit
- 10. Application.Run calls to FluffyClouds to clear out control variables via ActiveDocument.Variables.Item(i).Delete
- 11. Detect delays (e.g. due to interactive debugging) and exit: If (T2 - CallTimer) > vbNormal Then
- 12. Use of Sendkeys to exit VBA. e.g. ActiveDocument.Variables("SalesPipeline").Value == Sendkeys and ActiveDocument.Variables("Synergy").Value == %{F11}
- 13. Force hiding of VBA in a loop. e.g. Loop Until Tasks(ActiveDocument.Variables("DailyTaskLog")).Visible = False
- 14. Check if VBA editor is on a large screen (e.g. malware analyst =) ). If Application.WordBasic.AppInfo(7) > 1000 Then ' aka Application.UsableHeight
- 15. Office version check If CInt(Application.WordBasic.AppInfo(2)) >= (vbDirectory - vbHidden) Then (i.e. > 14)
- 16. Check date and abort if July or later. If DateTime.Month(Now) > 6 Then
- 17. Get PROGRAMFILES and abort if less than 30 sub directories (e.g. must be an analysis VM with few apps). via CallByName ActiveDocument.Variables("EmployeeID") == Environ$ and ActiveDocument.Variables("ManagerName").Value == ProgramFiles and ActiveDocument.Variables("GetMgmtName") aka CountDirectories
- Related
- Hephaestus is the tool that generated the sample I shared https://github.com/glinares/Hephaestus
- "Next Gen Office Malware v2.0" presentation slides @HushCon
- https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement