 Hello, DJ Stavens here, senior handler with the Internet Storm Center. You've heard about FireEye's breach, where red team tools were stolen. We are going to look at a malicious document from those FireEye tools. So FireEye published many YARA rules that help with the detection of their tools and the files created by their tools. And I looked in particular to the methodology Ole-Ger encoding to rule, which is specific for malicious documents created by one of their tools. Now we don't have their tool, but we have a sample of a malicious document. If you look here at the rule, there's a MD5 of a sample and this sample, we can find it on VirusTotal. So that's what we are going to analyze. Now this YARA rule here detects office documents, OLE documents of a size larger, sorry, smaller than 10 megabytes. And they have to contain one of these strings. And you can see these are decimal numbers separated by a semicolon, colon, or x. And we have three different sequences of decimal numbers. We have this sequence here. And if you translate that to ASCII, you end up with the text echo off. So this must be for BAT files. This here translates to MZ, followed by 90 hexadecimal. So this is for exe files, PE files. And then here this sequence is PK, followed by 3 and 4. So that is the file record for ZIP file. So this is for ZIP files. So the malicious documents are probably droppers that can contain a BAT file, an exe file, a ZIP file, or maybe a combination encoded like this. So we are going to look at this document here. So with my OLE dump tool, I look at the document. And as you can see, it contains Microsoft VBA code. Here are the M indicators, but I'm not going to look directly at the VBA code because what stands out to me is these forms here, OO. So these are VBA user forms and you have properties in those VBA user forms, the key and the value. Keys are in F, values are in O. And this one here is particularly large, about half a megabyte. And this is a known technique by malware authors to hide their payload in those streams. So that's where we are going to look into. And I have a plugin for that. So OLE dump, plugin stream O on this sample. And we immediately see a lot of numbers here, decibel numbers separated by semicolon. So that must be the payload. So let's do this again, but probably it's too less. So here and in this form, we have a text. That's probably the social engineering text. And here we have one very long sequence of decimal numbers, 807534. So this must be a zip file. And as you can see here, my plugin says found two. So there are actually two such sequences in this list. And that is new in my plugin. I changed this recently. So if there is only one entry, then you just see the entry. But if there are more than one entries, then you will also see a counter found two. So we need to convert these numbers to bytes and then analyze the binary file that we created. And I have a tool for that. That tool is numbers to string. Now here, since we have several sequences, two sequences of numbers, we need to select them each apart so that we can do the analysis of the two sequences. And for that, you can use statistics. First of all, run numbers to string with statistics. And then you get an overview of each line that contains numbers and then a bit of statistics for those numbers, for those lines. Like here, line 25 and line 26, they contain 66,124 and 66,191 numbers, varying between 0 and 255. So that's actually our binary data that we want to extract. The others here are way smaller. Those are just numbers that appear like here. On this line, we have two, the number two, that's found, colon two, the output of my plugin. So line 25, that's one payload, line 26 must be another payload. Let's look at that. The way to do that, simple option L line to select line 25. It is a binary file. So we take option B to produce binary output because numbers to string by default will create strings and decode strings. But here it's binary data, so option B. And now we saw that it starts with header of a zip file. So I'm going to pipe this into my zipdom tool. And then indeed here you can see it is a zip file and it contains a file with the extension .exe. So that must be the executable. I can get more information, extra information with option E. And then indeed you can see, so the star, this MZ. So this is a PE file. Here is the MD5 hash. And with that you can look it up on VirusTotal. By the way, if you don't like the MD5 hash anymore, you want some other hash. That's something you can configure in my zipdom tool. So that was line 25. Let's look at line 26, where I also expect that this is a zip file. And indeed that's another zip file containing an exe. So it's as simple as that, analyzing this office document. Now let's look at the code, the VBA code. Here it is. Now I wonder, did they apply a technique like VBA stomping or VBA purging? I'm going to use option I to have more information. And then for each module stream, you get this extra information, the size of the compiled code and the size of the VBA code. So you can see it's not zero, so it has not been purged. And also the VBA code here looks reasonably large compared, well, I mean, it's normal, looks normal, so it doesn't look like it has been stomped either. So let's see we have here four streams, but this one here only contains attributes, lowercase m. So let's look at 11, 12, and 16. 11, decompress VBA code. Here we see here selections, submacro, OK. So here we have a function. This is the name of the file that we also saw here.zip.exe. So this function will extract the zip file, write it to disk as a zip file, and then unzip it here. With this copy here command. You can see here why there are two different files. If the version of Windows is 6.2 or 6.3, then this version is used. And if it is not 6.2 or 6.3, then this version is used. So those are the two embedded files. You can see here it's almost the same name for that field, but here it's an E and here it's an S. So the split with semicolon, and here we iterate over that array and we convert this to bytes accumulators, write it to disk. If it is successfully written, unzip it, and then execute it with a shell command here. So pretty classic. What do we have in stream 12? OK, so here we have a document open and a document close. So the content of the document is deleted. So as far as I can see here, the text that is displayed, then the payload is executed. And then here, the text that is shown to the user is the one that we saw in that other form. If you remember, let's go back. This message here, that's the one that is so in that form and that is the one that is displayed to the victim. And what do we have in 16? Just a private sub and that's it. So quite simple here. Just a VBA code where you have a zip file, two zip files encoded with numbers stored inside a VBA user form. The VBA code will extract it, write it to disk, unzip it, and then execute it. And that's it. And also display a text to the user. Now I used my Oly dump tool here to do the analysis. You can actually also do the analysis just with my string tool, strings tool. Because it will also find in here these long numbers. And then some long sequences of numbers. And then you can also pipe this to numbers to string statistics. Yeah, OK. So we have much more lines here. So let's say that we want to limit our strings to a minimum length of thousands. OK, you see. And now here we have just two lines. And then you can do exactly the same payload, but just using my strings command, not the Oly dump command.