{"id":344,"date":"2016-02-04T21:05:56","date_gmt":"2016-02-04T21:05:56","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=344"},"modified":"2016-02-23T21:58:26","modified_gmt":"2016-02-23T21:58:26","slug":"2016-02-01-failed-dridex-word-doc-email","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=344","title":{"rendered":"2016-02-01 Failed Dridex Word doc email"},"content":{"rendered":"

Today while investigating the normal events of the day we got some employees that got sent some phishing emails (related to the latest round of Dridex) with a Word document attached. The email is shown below:<\/p>\n<\/a>\n

The attached Word document has the following properties:<\/p>\n

\r\n\tName: INV19 - 778810.doc\r\n\tSize: 23.6KB\r\n\tMD5 Hash: 5fc9c03c42b2060050347d92758237d3\r\n\tSHA256 Hash: 965c1e785b2fd3866b40d2d0046f6e6e6eb43e60f101f3bec1ed7eed9281060d\r\n\tVirusTotal Link: http:\/\/www.virustotal.com\/en\/file\/965c1e785b2fd3866b40d2d0046f6e6e6eb43e60f101f3bec1ed7eed9281060d\/analysis\/<\/a><\/pre>\n
The interesting thing about this Word doc, and a couple of the others that came in as well, was the fact that I could not extract the contents from the doc via 7Zip, and OfficeMalScanner did not recognize it as an OLE file either as you can see below:<\/p>\n<\/a>\n
So I opened it up in Notepad++ to get a better idea of what I am dealing with and at the top of the page is the following in Russian:<\/p>\n
\u0414\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435\u0439 \u0432 \u043e\u0434\u043d\u043e\u043c \u0444\u0430\u0439\u043b\u0435, \u0442\u0430\u043a\u0436\u0435 \u043d\u0430\u0437\u044b\u0432\u0430\u0435\u043c\u043e\u0439 \u0444\u0430\u0439\u043b\u043e\u043c \u0432\u0435\u0431-\u0430\u0440\u0445\u0438\u0432\u0430. \u0415\u0441\u043b\u0438 \u0432\u044b \u0432\u0438\u0434\u0438\u0442\u0435 \u044d\u0442\u043e \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435, \u0437\u043d\u0430\u0447\u0438\u0442, \u0434\u0430\u043d\u043d\u044b\u0439 \u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0438\u043b\u0438 \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440 \u043d\u0435 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u0442 \u0444\u0430\u0439\u043b\u044b \u0432\u0435\u0431-\u0430\u0440\u0445\u0438\u0432\u0430. \u0417\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u0435 \u0431\u0440\u0430\u0443\u0437\u0435\u0440, \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0449\u0438\u0439 \u0432\u0435\u0431-\u0430\u0440\u0445\u0438\u0432\u044b, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 Windows\u00ae Internet Explorer\u00ae<\/p><\/blockquote>\n
Tranlated:<\/p>\n
This document is a web page in a single file , also called the Web archive file . If you see this message , it means that the browser or editor does not support Web Archive files . Download a browser that supports web archives, such as Windows\u00ae Internet Explorer\u00ae.<\/p><\/blockquote>\n
So looking around the web I started to see some links talking about how malware authors use a certain vulnerability in Word to evade detection from AV software back in 2012. To read more about that check out these links here<\/a>, here<\/a>, and here<\/a>. While some aspects of the file that I am looking at holds true (file paths mentioned here and there), there is nothing in the file mentioning any class IDs at all. Further research into this also led me here<\/a> and how this is a MHT (MIME HTML) file format which is basically a MIME container similar to an email. So trying “OLETOOLS” to see if I can get a little more information about this file failed as you can see below:<\/p>\n
\r\n\t.\/oleid.py INV19\\ -\\ 778810.doc \r\n\tFilename: INV19 - 778810.doc\r\n\t+------------+-------+\r\n\t| Indicator  | Value |\r\n\t+------------+-------+\r\n\t| OLE format | False |\r\n\t+------------+-------+\r\n\r\n\t[~\/Downloads\/oletools-0.41\/oletools] : .\/olevba.py INV19\\ -\\ 778810.doc \r\n\tolevba 0.41 - http:\/\/decalage.info\/python\/oletools\r\n\tFlags        Filename                                                         \r\n\t-----------  -----------------------------------------------------------------\r\n\tMHT:-------- INV19 - 778810.doc\r\n\r\n\t(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)\r\n\r\n\t===============================================================================\r\n\tFILE: INV19 - 778810.doc\r\n\tType: MHTML\r\n\tNo VBA macros found.<\/pre>\n
So at this point I guess I will try to do this the old fashion way – run this manually on my test VM and see what happens…. YAY!<\/p>\n
So when trying to run this from my test VM, I immediately get a pop-up stating the following:<\/p>\n
\t\"Error\"<\/a><\/p>\n
And then it dies… Looking at the PCAP the only thing that I can see is the following call:<\/p>\n
\r\n\tGET \/indiana\/jones.php HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept: *\/*\r\n\tUser-Agent: Mozilla\/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\n\tHost: 31.41.45.23\r\n\r\n\tHTTP\/1.1 404 Not Found\r\n\tServer: nginx\/0.7.67\r\n\tDate: Mon, 01 Feb 2016 21:51:37 GMT\r\n\tContent-Type: text\/html; charset=iso-8859-1\r\n\tConnection: keep-alive\r\n\tVary: Accept-Encoding\r\n\tContent-Length: 292\r\n\r\n\t<!DOCTYPE HTML PUBLIC "-\/\/IETF\/\/DTD HTML 2.0\/\/EN">\r\n\t<html><head>\r\n\t<title>404 Not Found<\/title>\r\n\t<\/head><body>\r\n\t<h1>Not Found<\/h1>\r\n\t<p>The requested URL \/indiana\/jones.php was not found on this server.<\/p>\r\n\t<hr>\r\n\t<address>Apache\/2.2.16 (Debian) Server at 31.41.45.23 Port 80<\/address>\r\n\t<\/body><\/html><\/pre>\n
Well drat – that was anti-climatic all around. Dang server admins fixing their site before I could have my fun. Below are the files that I was able to obtain:<\/p>\n
\t<\/a><\/p>\n
The file “yFUYIdsf.exe” is located in the “C:\\Users\\Administrator\\AppData\\Local\\Temp” folder and has the following properties:<\/p>\n
\r\n\tName: yFUYIdsf.exe\r\n\tSize: 292 bytes\r\n\tMD5 Hash: 81a9bef11f1d64437f3c51b7aa65fd0e\r\n\tSHA256 Hash: 97dc0e15afed062bd6c4ec71bdcd6ef358522f30c49125cf668f3ab1ee52a381\r\n\tVirusTotal Link: NA<\/pre>\n
Considering that the vulnerability has been out for some time now, I wondered if my install of Word has this patch or not. Also, I am seeing that there is a KB that seems to break macros<\/a>. I found that link when looking around for what a “MSForms.exd” file was. Unfortunately, I am not seeing any updates to my copy of Office that would impact it. <\/p>\n
When I tried to run this executable in my restored VM, I got the following message:<\/p>\n
\t\"Error\"<\/a><\/p>\n
When looking into this file further via PEStudio, I noticed in the strings section that the file had been modified by our email filtering appliance. Well that would explain why the file did not run correctly. To see what this looks like when it runs and works like it should, check out Brad Duncan’s post about this<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"
Today while investigating the normal events of the day we got some employees that got sent some phishing emails (related to the latest round of Dridex) with a Word document attached. The email is shown below: The attached Word document has the following properties: Name: INV19 – 778810.doc Size: 23.6KB MD5 Hash: 5fc9c03c42b2060050347d92758237d3 SHA256 Hash: 965c1e785b2fd3866b40d2d0046f6e6e6eb43e60f101f3bec1ed7eed9281060d VirusTotal Link: http:\/\/www.virustotal.com\/en\/file\/965c1e785b2fd3866b40d2d0046f6e6e6eb43e60f101f3bec1ed7eed9281060d\/analysis\/<\/a> The interesting thing about this Word doc, and a couple of the others that came in as well, was the fact that I could not extract the contents from the doc via 7Zip, and OfficeMalScanner did not recognize it as an…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-344","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=344"}],"version-history":[{"count":10,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/344\/revisions"}],"predecessor-version":[{"id":359,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/344\/revisions\/359"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}