Tuesday, 14 June 2016

Macro Based Documents Hiding Code in PlainSight

Recently we have seem malware authors leveraging different techniques to hide their malicious code in different places in the Malicious MS Office files.

For instance, it is already documented on Internet the usage of malicious macros which read the malicious content from:

1. MS Office Forms.
2. File metadata.

Data fetched from above Document Properties is then used in performing further malicious activities. The data hidden in above properties could be encoded URL, filenames, powershell commands and so on.

I came across some interesting Macro Based documents recently which were hiding the complete binary in the Document in plain sight in a clever way. The binary was XOR encrypted with a single byte and the entire encrypted binary was present in the main Word Document in the form of Paragraphs.

MD5 hash: 5ae43f2714e646f28c7adef66247a0ba

When the Word Document is opened, it will appear as shown in Figure 1:


Figure 1: Main page of the Word Document

The Word Document in this case had a total of 20 pages. However, all those pages appear to be blank. The message shown in Page 1 is the usual message used by malware authors which prompt the user to enable the macro so that malicious code can be executed.

Now, let's look at the macro code in Figure 2:


Figure 2: Macro Code Iterating over ActiveDocument.Paragraphs

In the macro code above, we can see that it iterates over the Paragraphs of the Document and uses the content inside it to decrypt and drop an executable on the machine.

It iterates over the paragraphs using ActiveDocument.Paragraphs and accesses the content of Paragraphs using Range.Text property of Paragraphs. After paragraph number 24, each byte is read and XOR decrypted with the key, 0xff. The decrypted data is written to the output file and later on executed.
The binary is dropped in the path: C:\Documents and Settings\All Users\Memsys\ with the filename, ms.exe
Now, let us look at the main document once again. However, this time, let's highlight the empty region below the text on Page 1 of the Document and change the Color highlighting using MS Office Word Application. When we do this, we can see the encrypted binary as shown in Figure 3.



Figure 3: Encrypted Code hidden in the Document

So, the malware author placed the entire code encrypted and with white text on white background so that it appears as invisible.

The advantage of hiding the encrypted code in Document as paragraphs instead of including the entire code in the macro is to evade static analysis signatures which perform a scan on the macro. Most static analysis signatures would detect the presence of long hex encoded strings in the macro or MZ/PE header signatures. In this case, since the entire binary is not present in the macro, this would prevent static analysis.

It is evident that the malware authors continue using new techniques for hiding their code.