Static Malware Analysis SOP

This document is targeted at Tier I and Tier II Malware Analysis. This will not cover dynamic malware analysis which requires a live system which needs to be actively compromised for analysis.

This document will cover how to analyze the following: Suspected malicious PDF files, suspected malicious Office documents, and suspicious executables.

The tools required are:SANS SIFT VM with REMNUX Tools installedOlevba.py – For Office Document AnalysisPyew.py – for PDF, Office document, and malicious executable analysisUPX – for unpacking executablesxorBruteForcer.py – for further deobfuscation of malicious executables and their payloadsghex – for looking at a raw binarystrings – for pulling text out of a file

Part I: Malicious PDF AnalysisOf course, our first stop is usually VirusTotal to see if anyone else has seen this before…in this case infected.pdf is a “heap spray” attack.

Figure 1 - VirusTotal positive hits for infected.pdf

We try opening the infected.pdf with pyew, and we see already there is some Javascript in there

USAGE: pyew.py infected.pdf

Figure 2 - pyew.py shows some Javascript inside the pdf

Running the command “pdfview” from inside of pyew lets us actually read the JavaScript….in this case it is suspicious and appear to be hiding some sort of shellcode…since we see that VirusTotal has a hit on it and also there is some Javascript embedded in the PDF, we can declare this malware. The Tier III personnel will have the tools and expertise to de-obfuscate this JavaScript and figure out what it is doing.

Figure 3 - pdfview shows us the Javascript embedded inside.

So here we see some obfuscated JavaScript which is difficult to decode unless you are very familiar with JavaScript, and we see a very strangely named function and a variable named “large_hahacode”.

Part II: Malicious Office Documents

Analysis of these is pretty simple, but what is visible in regular .xls documents is not visible in the new .xlsm format for Office which is based on .xml.

We will look at 2 Excel sheets with the same basic exploit inside, but one is an .xls document and the other is a .xlsm document. The basic exploit here is a VBScript macro that opens notepad.exe and pings 127.0.0.1.

Running “strings” against the malware.xls file gives us pretty obvious results as we see the reference clearly to notepad.exe and 127.0.0.1

Figure 4 - strings against a .xls file

But running strings against the malware.xlsm file does not.

Figure 5 - strings against the new Office XML-based format

A more reliable tool is olevba.py. Its very easy to use and quickly extracts VBA Macros. As you can see below, it indicates what the macro is, and even gives you a list of IOCs you can use to detect how widespread this is on your network

Figure 6 - olevba output against a .xls Office document

Here we can see the same items that “strings” found for us in the original .xls.

Figure 7 - olevba.py against an xlsm document

Here we can see the references to vbaProject.bin which seems to be what is hiding the pertinent information from “strings” in .xlsm documents.

From the olevba.py report, we can determine that there are some bad VBA Macros in these documents and can pass along for Tier III Malware Analysis with our findings.

Part III: Malicious Executable Analysis

This is by far the most difficult and time consuming. Obfuscation and evasion techniques such as packing and XOR’ing of contents makes these difficult to find out what is going on or to generate a list of IOCs (Indicators of compromise).

We will be using a piece of malware known as “Frethog”, a keylogger and password stealing program.

When we open it with “pyew.py”, we don’t see much, and when we run the pyew command “packer”, we can see why. Its packed using the UPX algorithm in an attempt to evade analysis.

Figure 8 - pyew "packer" analysis of an .exe file

Running “strings” against a packed file gives us very little, so we have to unpack this file.

Figure 9 - strings run against a UPX packed file

To “unpack” the file we use the UPX programUSAGE: upx –d –k fethog.000 (-d -= decompress –k = “keep a copy”) which will give us an unpacked file named “fethog.000” to analyze and the original is renamed fethog.00~

Figure 10 - using UPX tp unpack a malicious executable

Now we can look at it with pyew again and check the packing…now we see it is seeing it as a VisualBasic file

Figure 11 - pyew analysis of the unpacked malware

And we can see “strings” gives us better results now

Figure 12 - strings analysis against the unpacked file

BONUS ROUNDHowever, this file is also using XOR to hide its payload, so we are going to use xorBruteForcer.py to try every possible key against its contents to see if anything works….once you see some entries with cleartext, then you know you have found the right key…in this case, the key was 0x20. So we use xorBruteforcer.py again with the key specified, and we get some more valuable information.

USAGE: xorBruteForcer.py fethog.000 - this will try all key combinations and we will look at this output to determine what the key was by looking at cleartext.USAGE: xorBruteForcer.py –k 20 fethog.000 -k indicates the key we want to use

Figure 13 - output of xorBruteForcer against the unpacked malware

Now we see references to www.yswm.net, www.ahwm.net, and couple other URLs, but now we have some additional IOC’s (Indicators of Compromise) that we can check to see if any other computers on our network have been trying to get to these sites. …they are reaching out trying to pull down file.txt.

Further analysis of this de-XOR’d file will yield even more IOC’s that we can proved to SOC Analysts to investigate.