We've recently released our malware document scanner tool called Cryptam (which stands for cryptanalysis of malware) . This system scans document files such as MS Office (.doc/.ppt/.xls), PDF and other document formats for embedded executables whether encrypted or not. As most embedded malware executables use varying lengths of XOR and ROL/ROR obfuscation to evade traditional A/V detection, we focus on the detection of the embedded executable rather than the exploit itself.
A typical Cryptam report visually shows three critical pieces of the cryptanalysis done. The first graph shows the count for each ascii character in the file, obvious single byte XOR keys can be seen here. The second graph is the entropy of the file, most documents other than PDFs are very light entropy on legitimate content, and only images or the embedded executables showing as red high entropy sections. The third and final graphic is the XOR dispersion over 1024 bytes with the calculated key overlayed. We define the XOR dispersion as the highest occurrence character per position in the 1024 byte blocks in the file. So a 256 byte XOR key used on an embedded executable will have a pattern which repeats 4 times over the 1024 bytes. If the dispersion graphic looks random, it's probably data and not an embedded executable. Sloping lines are typical of algorithmically generated encryption keys - the typical exploit shellcode is very small, and simple counters are commonly used as the XOR key.
The main areas to check in the cryptam report is the summary, for embedded executable signatures - such as an XORed version of This Program cannot be run in MSDOS etc. And the key length - which is typically anywhere from 1 to 1024 bytes, but most commonly 256 bytes with typical APT type attacks. The system is also available as a command line scanner and private web versions like our PDFExaminer product.
Use the Cryptam document malware scanner online at https://malwaretracker.com/doc.php. Upcoming posts will release a few useful tools to unxor and unrol the executables using the keys Cryptam detects.