Malicious Document Analysis Beginners Guide.

Transcription

1 Malicious Document Analysis Beginners Guide

2 PDF(Portable Document Format) Malicious Document Analysis 2

3 PDF Overview Adobe Systems created the Portable Document Format PDF became an open standard on July 1, 2008 Adobe borrowed heavily from the PostScript page description language Designed to bundle all objects, fonts, images and other related content into a single portable file format. Allows for creators to create dynamic elements so the users can interact with the document Very rich feature set which supports many different embedded file types (U3d, Tiff..) different compression algorithms, scripting language and many other features PDF specifications are documented but Adobe Reader isn't very strict when adhering to them First Exploit outlook.pdfworm.txt aka Peachy August Malicious Document Analysis 3

4 PDF File Structure Header : PDF Version Body : Containing series of object that are used in the document define a numbered top-level object. The first number is the object number, the second number is the revision number Cross-reference table : Specifies the position of the objects Object #1 is at offset 10 Object #2 is at offset Object #5 is at offset Malicious Document Analysis 4

5 PDF File Structure(cont) Trailer : information about where the document starts Malicious Document Analysis 5

6 PDF Object Type Boolean : true / false Number : e.g. 3 Name (/Name) names are identifier Dictionary(<< >>) : this is a unordered list of (Name, Object) pairs. Array([x y z ]) : an ordered list of object, e.g. [ ] String ((text)) : text Stream(<</Length >>stream. endstream) : embedded data, can be compressed null object Indirect reference(n r R) : reference an object, e.g. 5 0 R Malicious Document Analysis 6

7 Stream Filters The stream was here represented directly(as clear text)? This is uncommon: most streams are compressed ASCII85Decode a deprecated filter used to put the stream into 7-bit ASCII ASCIIHexDecode similar to ASCII85Decode but less compact FlateDecode a commonly used filter based on the zlib/deflate algorithm LZWDecode a deprecated filter based on LZW RunLengthDecode/DCTDecode/CCITTFaxDecode/JBIG2Decode/JPXDec ode Malicious Document Analysis 7

8 PDF Analysis Tools pdf-parser.py by Didder Stevens pdfid.py by Didder Stevens peepdf.py by Jose Miguel Esparza pdftk by pdflabs appp.py by inreverse Malicious Document Analysis 8

9 PDF Analysis Analysis using Hex Editor? Analysis Process Search /Javascript Identify objects Dump/Decode objects Analyze script Malicious Document Analysis 9

10 PDF Analysis using pdf-parser.py (cont) Search : -s /Javascript Identify/Dump : -o ObjectID -f Malicious Document Analysis 10

11 Office Files Malicious Document Analysis 11

12 Office File Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file. Data can be storage (folder) and stream (file). Excel stores data inside the workbook stream. PowerPoint stores data inside the PowerPoint Document stream. Word stores data inside various streams. First Exploit CVE Office 98 Mac Edition

13 OLESS OLESS Header FAT FS SectorNumbers OLESS directory entries Data is divided into directories folder(storages) and files (streams) Depending on the application streams may contain Macros Graphics Tables Sounds Animations. Parsing can be done using the Win32 COM API (StgOpenStorage(), IStorage methods, IStream methods) Malicious Document Analysis 13

14 Malicious MS Office document structure Malicious Document Analysis 14

15 Analysis Tools OfficeMalScanner locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files. MalHost-Setup extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner) Offvis shows raw contents and structure of an MS Office file, and identifies some common exploits. Hachoir-urwid can navigate through the structure of binary Office files and view stream contents. Office Binary Translator converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool). pyolescanner.py can examine and decode some aspects of malicious binary Office files. FileHex (not free) and FileInsight hex editors can parse and edit OLE structures Malicious Document Analysis 15

16 Microsoft Office Low Hanging Indicators ASCII HEX Shellcode (nop slide) Embedded Adobe SWF Malicious Document Analysis 16

17 OffVis Malicious Document Analysis 17

18 OfficeMalScanner OfficeMalScanner is a forensic tool for analysts to find malicious traces in MS Office documents. Scan mode Shellcode/Action Scan, Suspicious Strings(UrlDownloadToFile, GetTempPath, WinExec, ) Info mode The INFO mode dumps OLE structures, offsets, length and saves found VB-Macro code to disk Inflate mode(office 2007~) Decompresses Ms Office 2007 documents, into a temp dir and marks potentially malicious files. Documents with macros included (docm, pptm and xlsm) contain.bin files, usually vbaproject.bin (Old MSOffice format) Such files could host malicious macro code and can extracted using the OfficeMalScanner INFO mode. Switch brute/debug Malicious Document Analysis 18

19 OfficeMalScanner : Scan mode GetEIP Find Kernel32 base Find SEH(Structured Exception Handling) API Hashing Indirect Function Call Suspicious Strings Decrypt Trick Embedded OLE Data Function Prolog PE Signature Malicious Document Analysis 19

20 OfficeMalScanner : Inflate mode Malicious Document Analysis 20

21 Thanks Malicious Document Analysis 21