UNDERSTANDING ANDANALYZING WEAPONIZEDCARRIER FILESRYAN J. CHAPMANUnderstanding and Analyzing Weaponized Carrier Files (DefCon 27, 2019)Flamingo Las Vegas, Red Rock III3555 South Las Vegas Boulevard, Las Vegas, NV ickets-63608133640See also htmlThe most up-to-date version of the workshop materials, including this PDF, can be foundhere: will learn about carrier files, how they are weaponized, and how to analyze thenasty little buggers. The workshop covers MS Office and PDF file structures in-depth alongwith the common scripting engines associated with the file formats.1

WORKSHOP MATERIALS You will need TWO VMs: Windows (malware) VM w/ MS Office PDFStreamDumper REMnux VM Update the bad boy, you’ll have all you need If you don’t have either VM: Come grab a USB in front of the room The copy process will be slow, so hurry!Hardware/SoftwareTo participate in the workshop, you don't need Acid Burn's laptop. However, you will wantto bring a laptop equipped with the following:- The laptop will probably need at least 8GB of RAM, as you'll need to be able to runyour host OS along with two VMs.- Please try to have a USB 3.0 port available. I will have USB 3.0 drives with me the day ofthe workshop. These drives will be FAT-formatted (nothing fancy) and contain the filesrequired for the workshop. I will also pop the files on to a cloud-based file sharingservice ahead of the workshop for folks whom like to setup early.- VM software! You'll need software to run a VM, such as VMware or VirtualBox. Doesn'tmatter if you're on a Mac with VMware Fusion, Windows, Linux, whatever. If you can runa VM (and take at least one snapshot), we're solid!VM SetupYou will need to have 2 VMs ready to rock:1. Windows Malware VMYou will need a Windows malware VM (10 preferred, 7 will work).- If you do not have a Windows 10 malware analysis machine, please checkout vm/#step22

- Speaking of MS products, you're going to need (in order to follow along with VBA filedebugging), a copy (evaluation version works fine) of MS Office 2016 . Versiondoesn't really matter, but the more recent the better.- If you don't have an MS Office license, check out the MS Evaluation center for a copy ofOffice that you can use: e-office365-proplus- Please install PDFStreamDumper: 7&pid 57- A hex editor of your choice! A few good options are HxD and 010 Editor (commercial, BUTAWESOME)- e.g. HxD hex exditor: Notepad : REMnux VMYou will want an up-to-date copy of the REMnux VM: All the tools we need for REMnux are installed by default. Thus, you simply need aworking VMVMs availableIf you REALLY cannot prep for the workshop (and damn you if this is the case), again, I'll have20 or so USB 3.0 drives available with VMs that you can use. Please note that the VMs will bearound 10GB . Even though they are USB 3.0 drives, it will take a while to copy the requiredfiles to get setup. So. you know. PREP dang you!2

WORKSHOP MATERIALS CONT. PDF copy of handouts here: Malware samples available here: Copy the cfworkshop file to both VMs Remember to disable file sharing after copying Unzip those bad boys Password: dc27workshopHEADS-UP ya’ll! I will be adding a ton of step-by-step instructions the days leading up toDefCon. As we come closer to the date, you can grab an updated file from my GitHub tofind all the fun instructions. Get it![additional notes here closer to the big day]Do you have the malware samples? If not, you can grab the bad boys from one of theselinks:- Zip password: dc27workshopYou will want to copy these samples to both your Windows malware VM and your REMnuxVM.Remember to disable networking & file sharing after, as we’ll be playing with livemalware.3

CAUTION!!LIVE MALWARE AHEAD! We’ll be working with live malware Careful! Don’t download malware onto your host Don’t double-click malware samples Don’t forget DefCon’s “3-2-1” rule If you have questions, please ask!Seriously, BE CARERFUL!- DO NOT copy or download the malware samples to your host OS!- DO NOT open or double-click the malware samples outside of your Windows malwareand REMnux VMs!And hey, while we’re at it: Let’s make sure in general you follow DefCon’s “3-2-1” rule, eh?Stolen from the official DefCon FAQ 4.0 (“At a MINIMUM follow the 3-2-1 Rule Daily - Three hours of sleep, Two Meals, OneShower. And if you only take One Shower or a day, Lather on the deodorant. Forthe ultimate DefCon Experience, you need to be an ACTIVE participant.”- You’re already doing your part as a participant by taking this workshop!- But, did you wash your butt?! If not, please use the break wisely. HAH!4

AGENDA Environment Setup Carrier File Overview Office File Overview Office Document Analysis Break PDF File Overview PDF AnalysisI have run my 5-week SOC baseline training course many, many times. In those courses, Idedicate a full day to Office document analysis along with a full day to PDF analysis. Today,we have a total of four (4) hours. As such, we’ll want to make the best use of our time!“In a Perfect World” Workshop Agenda:0.5 hr: Intro, VM Setup, and Carrier File Overview0.5 hr: Bathroom break(s) and buffer0.5 hr: Office Document Overview1.0 hr:s Office Document Analysis0.5 hr: PDF Overview1.0 hrs: PDF AnalysisActual Workshop Agenda:WHO KNOWS?! This is a DefCon workshop yo! I’m sure we’ll run into some fun tangents,some random issues, blah blah blah.Regardless, the instructions within this document will allow you to follow through thetraining at your leisure. My goal was to provide step-by-step instructions for *most* of thecontent, so feel free to finish up anything we aren’t able to hit within our time limitwhenever you feel like doing so. I’m always around to answer questions online.5

ABOUT ME Incident Response Consultant All things BLUE TEAM!Incident commandHost/Network forensicsMalware analysis Hobbies Retro video games Getting tapped on the mats Hangin’ with my Boogie (and my wife!) -- https://incidentresponse.trainingRelated work history:- Technical Trainer App developer [ firstJob]- SOC Analyst SOC Lead CIRT NSM Analyst / SOC Tech Lead CIRT Senior IR Analyst/ SOC Tech Lead [ lastJob]- Principle IR Consultant [ dayJob]I LOVE presenting! Heck, I love to run my mouth, so having the opportunity to do so infront of like-minded professionals is a true joy of mine. I have presented at:- DefCon 27 (RIGHT FREAKIN’ NOW in good ‘ol 2019!!)- CactusCon (2015/16/17/18)- BSides Las Vegas (2015/16)- BSides San Francisco (2015/2019)- Splunk.Conf (2015/16)- Splunk Live! (Scottsdale 2016, Santa Clara 2015, & Phoenix 2014)- At various universities/high schools/meet-ups/derpYou can find my previous workshops on GitHub:

IT TAKES A VILLAGE We have a large class ( 90 people) But we have some helpers!! If you need assistance, raise your hand A helper will come to your aid If still stuck, skip that section for now I can provide individual assistance: During the break After the workshop in person After the workshop online (hit me @rj chap!)7

VM SETUP Hopefully, you prepared! Copy the samples to both VMs, then: DISABLE networkingDISABLE shared foldersWindows: Disable Windows Defender!REMnux: Make sure the bad boy is up-to-date Snapshot your VMs before you start! Copy files - snapshot - begin!Please reference the notes on the Workshop Materials slide.(second slide of preso, go back)An up-to-date version of the VM setup guide will be available ster/README.mdFor disabling Windows Defender, Google is your friend!- Example process: in-Windows10If you copied the Windows 10 malware VM from one of my USB drives, you’re good to go.8

CARRIER FILE OVERVIEW(A.K.A. MALDOCS)Alright! Let’s get started by acquainting ourselves with the concept of a carrier file.9

CARRIER FILEDEFINITIONA carrier file (a.k.a. “MalDoc”) isa document that carries with it amalicious payload.The most common carrier filesare Office documents along withPortable Document Format(PDF) files.Please note that the security community at large sometimes refers to these files asMalDocs (a combination of malicious document). Going forward, feel free to use eitherterm. I personally prefer the term carrier file, hence the name of this workshop.10

CARRIER FILE INFOZ Often attached or linked to within email Email attachments are the #1 malware entryvector for businesses Malicious links in email are also in the top 10 The median company received over 90% oftheir detected malware via email Office-based carrier files made up 45% ofdelivered file types (Verizon, 2019)The data from this slide is taken from Verizon’s 2019 Data Breach Investigations Report,which can be found rts/2019-data-breach-investigationsreport.pdf11

MOAR CARRIER FILE INFOZ Users often transfer documents via email Users are prone to open attachments Common schemes used: Purchase Orders / InvoicesResumes / CVsReceipts / BillsContract Proposals Wide-net vs. more targeted approach12

DOWNLOADER VS. DROPPER Downloader Reaches out to external resource via Internet Downloads malware executes on host When opening, requires Internet access to p0wn Dropper Malware contained within document Drops malware onto host executes on host Droppers don’t require initial Internet accessQuite simply, a downloader is a malicious threat that downloads additional threats (knownas stages) from the Internet. Meanwhile, a dropper is a malicious threat that contains thenext stage within it and is able to drop the sucker on to the host and execute it.Downloaders are usually smaller, as they often contain simple (though obfuscated) scriptsthat download additional stages.Droppers are usually larger in size, as they must embed the next stage of the threat withinthemselves.13

TOOLS OF THE TRADEThe REMnux VM, maintained by Lenny Zelster and David Westcott of the SANS Institute,includes a bevy of tools: it comes to PDF analysis, PDFStreamDumper by David Zimmer stands supreme: 7&pid 57Didier Stevens Labs (DSL) is owned by (you’ll never guess) Didier Stevens. He makes someof the best document analysis tools re/Decalage, a site by Philippe Lagadec, provides some fantastic tools for carrier file analysis:- python-oletools package: ViperMonkey, a VBA parser and emulator: provides an application called the Visual Basic for Applications Editor (VBA Editor)that comes bundled with a-in-office14

I use VirusTotal (VT) nearly every day. The crew over at VT was cool enough to provide me aresearcher account for my various activities. While developing this workshop, I must havevisited the site over 100 times, literally. Do yourself a favor and become VERY familiar withVirusTotal.In fact, I streamed a basic VirusTotal overview (1.5 hrs) that you can check out here: 3jxqhEwBBGM14

MICROSOFT OFFICECARRIER FILESNow that we’ve gone over the basics of carrier files, it’s time to learn about a specificdocument format. We’ll begin with the most common carrier file format, the MicrosoftOffice document.15

OFFICE FILE STRUCTURES Office 97-2003 Object Linking and Embedding Compound File a.k.a. “OLE CF” – It’s a darn file system! MS Office XML (.xml) eXtensible Markup Language Office 2007 Office Open XML (OOXML/MOX; .docx/.docm) It’s just a ZIP file with an XML structure! Rich Text Format (RTF) Can embed raw OLE documentsOffice documents come in many different forms. We’ll be playing with two of them in thisworkshop, but many others exist.Office 97-2003:- Word Document: Document (DOC)- The Object Linking and Embedding (OLE) Compound File (CF) format: Compound File- Excel (XLS) and PowerPoint (PPT) also use the OLE structure- Magic number for OLE files: d0 cf 11 e0 a1 b1 1a e1- MS Office XML format: Office XML formatsOffice 2007 :- DOCX: Document (DOCX)- Open Office XML: Open XML16

OFFICE FILE WEAPONIZATION Often use Visual Basic for Applications (VBA) Macros use VBA Most common, thus, our focus RTF files obfuscating raw hex data Equation Editor exploits VBA stomping Not common due to compatibility requirements But ridiculously awesome!Visual Basic for Applications (VBA) scripting is the weaponization method of choice forOffice files. We’ll be focusing on these in this workshop.The following items are more advanced and are not as common as malicious macros. Ifyou want to call yourself a malware analyst, you’ll want to be familiar with each, but theyare outside the scope of our workshop (we only have 4 hours!).Example of malicious RTF file us RTF Files/21315/Equation Editor exploits are pretty VBA stomping is a process in which the VBA code itself is removed from an Officedocument, yet the pre-compiled pCode remains within the document. This method isuseful for targeted attacks, but is not used often for wide-net attacks as it requires theaggressor to know (or guess) the exact version of Office being used by the ing-advanced-maldoc-techniques612c484ab27817

DOSFUSCATION Obfuscation of code within thecommand prompt Uses many good ‘ol DOS tactics Extremely common in carrier filesthese days See Invoke-DOSfuscation in GitHubrepo linked in notesMr. Daniel Bohannon, one of my favorite security analysts out there, provided a whitepaper on advanced methods that can be used to obfuscate code within the commandprompt. He also provides the Invoke-Obfuscation and Revoke-Obfuscation tools for dealingwith obfuscation within PowerShell.Attackers these days are leveraging both methods, often having one feeding into the other,to hide their shenanigans. Imagine obfuscated batch scripting that includes obfuscatedPowerShell, which itself includes obfuscated batch scripting, WHICH ITSELF INCLUDES youget the idea.DOSfuscation white paper: g/pdfs/dosfuscation-report.pdf-GitHub repos: Blog: Blog posts: non18

OFFICE ANALYSIS TOOLS oletools oledump MS VBA Editor Included w/ MS Office One of the best tools for analysis (Thanks MS!) Other fun tools: OfficeMalScanner OffVizoletools is a great suite of tools, so much that I dedicated the next slide to by Didier Stevens is fantastic, and we’ll be using the little fella in ms/oledump-py/Microsoft’s very own VBA Editor is pretty darn useful. Here’s a quick Visual Basic forApplications (VBA) Overview for ya: Basic for ApplicationsWe won’t be using the following tools in this workshop, but you should still check rg/code.htmlOffVis – OLD tool, but still parses the OLE structure o-created/19

OLETOOLSGrab a copy of the oletools Cheat aster/cheatsheet/oletools cheatsheet.pdfSee olevba is pure magic – more to come on thisI’ll also be including some of the “super duper fantastical mega fun time” magic producedby ViperMonkey, also from 0

OLE CF INHEX EDITORHere’s an OLE CF (this one is a .doc) file in a hex editor.Many folks use the terms file signature and magic number (or magic bytes)interchangeably. I like to refer to the hex values as the magic number (hex a numberingsystem), while referring to the ASCII representation as the file signature.Notice that the magic number is: D0 CF 11 E0 A1 B1 1A E1- GET IT?! It spells “DOC FILE” in hex! How cute is that?!- The file signature (or ASCII representation as noted) reads like “Di-dot-Ay-ih-ta-dot-A”.Heh, just kidding. It’s not very human readable, is it?- See also search&search DOC&mode EXT21

DOCX IN A HEX EDITORHere’s the header of a DOCX file in a hex editor.Do you recognize the magic number and/or file signature?- Magic number: 50 4B 03 04 14 00 06- File signature: PKIt’s just a darn .zip file! As a fun note, the PK (0x504B) references Phil Katz, the creator ofthe original PKZIP package. Anyone remember that bad boy? Old school in the house!- Go ahead and try to unzip any DOCX files you have on your machine – cool huh?- You can find a breakdown for the files via Google un trivia:Another common file format that uses the creator’s initials is the Windows PortableExecutable (PE). You know those little .exe files your family members like to downloadrandomly from the Internet? Yeah, the ones that come with full names likeGameOfThrones-FullSeason1.avi.exe. Lol. Yeah, they use the magic number4D5A, or MZ in ASCII. The “MZ” stands for Mark Zbikowski, one of the lead developers ofMS-DOS- See MZ executable22

WORD DOCUMENTANALYSISIt’s that time gang!Let’s pull apart some weaponized Word documents to see how they tick!23

WORD 1 / POWERSHELL 855759/detectionThe first Office file that we are going to analyze is an Office 2003 XML file that utilizes whatis known as a PowerShell “download cradle” to download malware (yup, it’s a downloader,not a dropper).These are the details for the file as seen on VirusTotal (VT).24

I grabbed this screenshot from VirusTotal Graph to show how common these types ofsamples are. Here’s the breakdown:- In the middle, we have our file, originally submitted with the filename rech.docm (whichmeans it’s a macro-enabled DOCX file)- At the top-left we see that it includes additional files within it, namely because it’s a .zipfile! (OOXML)- The key here is at the bottom right, which shows related samples- This samples was weaponized and emailed (see bottom left) to victims- Meanwhile, VERY similar documents exist, are on VT, and can be reviewed if you have aGraph account (VT Enterprise)Very often, when you receive malspam with a weaponized carrier file, you will find thesucker on VT already. If not, just wait a few days and someone will have uploaded it.Unless of course it was targeted, in which case nevermind! Anywho, once the sucker hitsVT, re