PDF & Office Documents Malware Analysis | TryHackMe MalDoc: Static Analysis
In this post, we covered malware analysis techniques and tools to analyze PDF and Microsoft office documents. We used lab material from the room TryHackMe MalDoc: Static Analysis and also covered the answers for the tasks’ questions that are part of SOC Level 2 track.
In the digital era, documents are one of the most frequent methods for sharing information, serving purposes like reports, proposals, and contracts. Due to their widespread use, they have become a common target for cyber attacks. Malicious individuals can exploit documents to spread malware, steal confidential data, or conduct phishing schemes.
As a result, analyzing potentially harmful documents is a crucial aspect of any cybersecurity plan. By examining the structure and content of a document, analysts can detect potential risks and take actions to reduce them. This has become increasingly important as more companies depend on digital documents for storing and sharing sensitive data.
How PDF & Office Malwares are Delivered?
Spearphishing attachments are a common form of cyber attack aimed at specific individuals or organizations through well-crafted, personalized phishing emails. The goal of the attacker is to deceive the recipient into opening a malicious attachment, often containing malware, ransomware, or other harmful software. This allows the attacker to gain unauthorized access to the victim’s system, enabling them to steal sensitive data, compromise systems, or pursue other malicious objectives.
Advanced Persistent Threats (APT) refer to highly organized cybercrime groups or state-sponsored entities that frequently use spearphishing attacks to penetrate their targets’ systems. These APT groups leverage spearphishing attachments as a strategic method to circumvent security defenses and establish access to the target environment.
Malware families associated with Malicious documents
Emotet:
- Technical details: Emotet is a banking trojan that is often distributed through malicious email attachments, typically in the form of Microsoft Word documents. Once installed, Emotet can steal sensitive information, such as banking credentials and email addresses, and it can also be used to download additional malware.
- MITRE reference: The MITRE ATT&CK framework includes a reference for Emotet, which can be found at https://attack.mitre.org/software/S0367/.
Trickbot:
- Technical details: Trickbot is a banking trojan that is often distributed through malicious email attachments and is known for its modular design, which allows attackers to add new functionality to the malware as needed. Trickbot has been used to deliver ransomware, exfiltrate data, and perform other types of malicious activity.
- MITRE reference: The MITRE ATT&CK framework includes a reference for Trickbot, which can be found at https://attack.mitre.org/software/S0383/.
QBot:
- Technical details: QBot is a banking trojan that is often distributed through malicious email attachments and is known for its ability to steal banking credentials and other sensitive information. QBot is also capable of downloading and executing additional malware and can be used to create backdoors on infected systems.
- MITRE reference: The MITRE ATT&CK framework includes a reference for QBot, which can be found at https://attack.mitre.org/software/S0385/.
Dridex:
- Technical details: Dridex is a banking trojan that is often distributed through malicious email attachments and is known for its ability to steal banking credentials and other sensitive information. Dridex has been active since 2014 and has been one of the most prevalent banking trojans in recent years.
- MITRE reference: The MITRE ATT&CK framework includes a reference for Dridex, which can be found at https://attack.mitre.org/software/S0384/.
Locky:
- Technical details: Locky is a ransomware family that is often spread through malicious email attachments, typically in the form of Microsoft Word documents. Once installed, Locky encrypts the victim’s files and demands a ransom payment in exchange for the decryption key.
- MITRE reference: The MITRE ATT&CK framework includes a reference for Locky, which can be found at https://attack.mitre.org/software/S0369/.
Zeus:
- Technical details: Zeus is a banking trojan that has been active since 2007 and is often distributed through malicious email attachments. Zeus is known for its ability to steal banking credentials and other sensitive information and has been used in numerous high-profile attacks over the years.
- MITRE reference: The MITRE ATT&CK framework includes a reference for Zeus, which can be found at https://attack.mitre.org/software/S0382/.
Petya:
- Technical details: Petya is a ransomware family that is often spread through malicious email attachments and has been active since 2016. Petya is known for its ability to encrypt the victim’s entire hard drive, making it much more difficult to recover from than other types of ransomware.
- MITRE reference: The MITRE ATT&CK framework includes a reference for Petya, which can be found at https://attack.mitre.org/software/S0367/.
PDF Document Analysis
A PDF (Portable Document Format) file is made up of a series of objects that are arranged in a defined structure. Gaining an understanding of this structure is crucial when analyzing or working with PDF documents. Below is a brief summary of the key components that make up the structure of a PDF file:
PDF Header: The header is the first line of a PDF file, containing a file signature and version number. The file signature is a specific sequence of characters that designates the file as a PDF, while the version number reflects the version of the PDF specification used to generate the document.
%PDF-1.7
PDF Body: The body of a PDF file consists of a series of objects arranged in a defined structure. Each object is marked with an object number and generation number, which serve to uniquely identify it within the document.
1 0 obj
<< /Type /Catalog
/Pages 2 0 R
>>
endobj
2 0 obj
<< /Type /Pages
/Kids [3 0 R 4 0 R]
/Count 2
>>
endobj
3 0 obj
<< /Type /Page
/Parent 2 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
>>
endobj
4 0 obj
<< /Type /Page
/Parent 2 0 R
/MediaBox [0 0 612 792]
/Contents 6 0 R
>>
endobj
PDF Cross-reference Table: The cross-reference table acts as a map, detailing the locations of all objects within the PDF file. It allows for efficient object retrieval within the document.
PDF Trailer: The trailer is the final section of a PDF file, containing key information about the document, such as the location of the cross-reference table, the file size, and any encryption or security configurations.
Full Writeup & Room Answers
The remaining of this article along with challenge answers can be found here