Skip to content

Use case 1 executable file embedded in Excel file

Jump to bottom Edit New page
Nobutaka Mantani edited this page Apr 18, 2021 · 3 revisions

In this use case, a malicious Excel file with embedded executable file is analyzed. This Excel files exploits an old Microsoft Office vulnerability (CVE-2012-0158) and does not work on dynamic analysis with patched Microsoft Excel. FileInsight-plugins can extract malware executable file from the Excel file to analyze it.

Open the Excel file with FileInsight.

1.png

Use "File type" plugin to check its file type.

2.png

Its file type is detected as "File type of the whole file: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936".

3.png

Its end of file is filled with 0x89 (it should be 0x00) and it looks suspicious.

4.png

Use "Byte histgram" plugin to check byte frequency.

5.png

6.png

0x89 is the most frequently appeared in the file. So It is assumed that a malware executable file is embedded into the file and its content is XORed with 0x89.

7.png

For such case, XOR text search can be used.

8.png

Windows executable files usually contain text string "This program cannot be run in DOS mode." So enter "This program" as search keyword.

9.png

There are two search hits. "XOR key: 0x89 -> ROL bit: 5" means that it should be XORed with 0x89, then rotated left five bits to decode embedded executable files.

10.png

Hit Ctrl-A key to select the whole file. Then click decode tab in the left pane, set method to Xor and key to 0x89, and click decode button.

11.png

Next set method to "Rotate left" and key to 5, and click decode button.

12.png

The file content is decoded like this.

13.png

The search hits are bookmarked. Jump to a search hit by clicking a bookmark in the left pane. The text string "This program cannot be run in DOS mode." is visible. It seems that malware executable files are decoded successfully.

14.png

Use "Find PE file" to extract the malware executable files. This plugin can search Windows executable files and bookmark them based on PE header information.

15.png

Two 32bit executable files are found and bookmarked. Actually the second executable file (offset 0x2f53e) is embbedded into the first executable file (offset 0x234ce).

16.png

Click the bookmark of the first executable file (offset 0x234ce) to select its region, then use "Copy to new file" plugin to extract the region as new file.

17.png

The extracted region is copied to the new tab "New file 0". Use "Hash values" plugin to calculate hash values.

18.png

Calculated hash values are as follows.

19.png

Use "Send to" plugin to open the extracted executable file with other analysis tool.

20.png

Select IDA free to open the file for further analysis.

21.png

22.png

FileInsight-plugin can be used to decode and extract embedded malware executable file like this. 😉

Hash values of the Excel file:

MD5: 6bb32ce95fbfaadad19212080ed0268b
SHA1: 9bb5442c6778d4ab5716e118bcca558ee46d0ac4
SHA256: ceb0af188c5c1f1fc60c8446ea3cb5fa6d3d6c6b1f173e1161434afc7e3474a3
ssdeep: 6144:dbL6vr7ZtpxBbi636Ls0b64/gbhwD/nv/LMezJUJwf:dbL6zdPxBb56LPzoa7nHLMezJUJG
Add a custom footer
Add a custom sidebar
Clone this wiki locally