Usr6 Posted April 16, 2013 Report Share Posted April 16, 2013 In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let’s do a quick analysis on the document…Here we see the Word document with an embedded object:Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious.A little ways down, we can see a NOP sled.Let’s use OfficeMalScanner to extract the objects and confirm our suspicions.Looks like we have to use RTFScan instead. RTFScan tell us that there are matching shellcode signatures in the OBJDATA section. Then it dumps a single OLE object and suggests that we run OfficeMalScanner again.The OLE object is rather small considering the original “file.doc” file is 791KB. Something is wrong. Here’s what the OLE file looks like:Let’s have a look at the original Word file again. This time we notice the magic for Word in hexcode.What if we strip away the original RTF headers and make this file look like a Word document? Maybe then OfficeMalScanner can extract the hidden binaries. With a hex editor, we do just that.Since this is hex, we need to convert it to binary and write it out to a file.We can open this file called “file.doc_” which has the Word magic at the beginning. Now we copy the rest of the binary code from the original “file.doc” file and paste it to the bottom.Now let’s run OfficeMalScanner on this modified file using its scan and brute options…and hope this actually works. Great it does!OfficeMalScanner finds the XOR key and is able to extract two embedded files.The first file appears to be a Word document.And opens in Word with a warning.The other file is an executable.You can actually do this the long way and carve out the embedded objects from the Word document manually but this would take more time than what’s necessary. Thanks to Frank Boldewin’s tool and a little tweaking, we can get the job done fast!The exploit used is CVE-2012-0158 and seems to have very good coverage on VirusTotal (31 / 46). Here is the tool I used to recreate the malicious Word document. Actually I found two. It would be irresponsible to share these files so don’t bother asking. Sorry!Filename: Word-2013.1.8.exe MD5: ea7084ef5faa8c7721ab163cb6cb58d2Filename: MS10-087.exe MD5: 2898479123b90278cfc7b30ddd9c4bd6Sursa:Dissecting a Malicious Word Document | Kahu Security 1 Quote Link to comment Share on other sites More sharing options...
em Posted May 14, 2013 Report Share Posted May 14, 2013 Are careva idee ce surse au oamenii ??tia? Cum de dac? caut acele dou? executabile pe google (dupa md5) nu gasesc nimic. Forumuri closed? Quote Link to comment Share on other sites More sharing options...
cybervu Posted May 14, 2013 Report Share Posted May 14, 2013 Se poate si cu metasploit http://rwx.biz.nf/code/download/ms10_087_pfragments_rtf.rbMicrosoft Word RTF pFragments Stack Buffer Overflow (File Format)Description This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. The Office 2010 windows 7 target requires that the victim has winword.exe open for a few seconds before they open the file. The file still can be double clicked if winword.exe has been opened for the said time. Quote Link to comment Share on other sites More sharing options...
