Monday, March 9, 2015

0 Detection PDF with external link to malware EXE


This morning Malware Domain List tweeted a 0/57 detection malware PDF which was/is not detected as malware by any AV product on VirusTotal.com:







The PDF has the following attributes:

Original filename: 2015-03-05Label.pdf
Size: 96697 bytes
md5: 0323382619193827959ee85631f6043d
sha1: f64e86177b5b5f8db8a78c346e2a165423b4a427
sha256: bc415d1f0c8d8af1b02008f03788de7e073650893eec01296c537346b42f7244
ssdeep: 1536:s3Orf9OoEPqFlpcTVrGxokqE/3wrqx8TnWOgQSawAgl4a+E7zQGBEkc4ryH:serf9nEUpOJGmTE/BaLJ4qE7EGbmH
content/type: PDF document, version 1.5


Loading the PDF into PDFExaminer does detect an exploit, which is actually more of a "feature" of PDF to link to external content, however, linking to a remote EXE is always bad and probably should be detected in the PDF:




Drilling down to the malicious object in PDFExaminer reveals an external hyperlink to an remote executable:





Now opening the PDF reveals how a user could be exploited, but they still need to click a malicious link to download and execute the malware. So while AV may not protect you from this attack vector initially, about half the AV products tested will detect the downloaded remote executable. User education to avoid clicking suspicious links is a key defence here.

The PDF contents:


AV detection for the remote executable linked to from this PDF is 25/57:



And finally, you can use PDFExaminer for free, online to detect this and other potential threats in PDF documents.

Thursday, March 5, 2015

Return of the Mime MSO, now with Macros

Didier Stevens at Sans ISC reported a new Mime MSO XML variant used in Dridex attacks which embeds a compressed OLE document (ActiveMime), with VBA auto open macros, within a Mime MSO XML document. Previously we've only seen CVE-2012-0158 delivered in Mime MSO (of which we've previously blogged).

Cryptam our document malware analysis tool has been updated to process the base64 stream and uncompress the ActiveMime data. We anticipate this attack vector to be adapted to APT type attacks as well. In addition to VBA macros, the MSO XML specs also allow for a OLE document to be embedded as well (we also now handle this type of embedding with Cryptam). The specs also allow some flexibility in the XML to be coded as Attributes or Elements. Sample report.



The following Yara signatures will detect Mime MSO XML files and some of the newly found obfuscation techniques:

rule mime_mso
{
meta:
    comment = "mime mso detection"
    author = "malwaretracker.com @mwtracker"
strings:
$a="application/x-mso"
$b="MIME-Version"
$c="?mso-application"
condition:
$a and $b or $c
}


rule mime_mso_embedded_SuppData
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "docSuppData"
    $b = "binData"
    $c = "schemas.microsoft.com"

condition:
    all of them
}


rule mime_mso_embedded_ole
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "docOleData"
    $b = "binData"
    $c = "schemas.microsoft.com"

condition:
    all of them
}




rule mime_mso_vba_macros
{
meta:
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = "malwaretracker.com @mwtracker"
    date = "Mar 5 2015"

strings:
    $a = "macrosPresent=\"yes\""
    $b = "schemas.microsoft.com"

condition:
    all of them
}