Blog

[Video] Analyzing a Malicious Microsoft Word Document

One of the key features in VMRay Analyzer 2.0 is the built-in reputation engine that identifies known malicious or known benign files in milliseconds. The addition of the reputation engine gives Incident Responders and Malware Analysts a powerful “One-Two” combination of rapid threat detection and detailed analysis of malware behavior.

To illustrate the benefits of a combined approach of both built-in reputation and dynamic analysis engines, we look to a malicious Microsoft Word document found by our team.

The video below features the Microsoft Word document returning an “Unknown” classification through static look-up and only 11/56 AV engines identifying the file as “Malicious” in VirusTotal. In contrast, the dynamic analysis engine returns a VMRay Threat Identifier (VTI) score of 100/100, an unequivocal “Malicious” classification.

VMRay Analyzer - VTI Score of Microsoft Word Document
Figure 1 – Malicious Severity Classification with “Unknown” Reputation Classification

While static look-up is effective in determining “known” threats, we can see in this example that in the absence of signatures, dynamic analysis exposing and analyzing file behavior is crucial to determining that this is a threat.

VMRay Analyzer’s dynamic analysis engine allows the document to be executed in an unmodified target environment that can be a faithful duplication of the intended real-world victim machine. This is critical to evading malware detection as we wrote in our blog series on sandbox evasion.

Equally important, VMRay Analyzer’s User Interaction Simulation engine will perform actions the malware is expecting, such as enabling macros in this example. Only by enabling macros can the malware run and pull down a payload.

We are able to see all the malicious behaviors performed by the Word document such as:
• modifying a process running in memory (through code injection)
• control flow modification of known processes.
• downloading of payloads from a C2C (command and control) server in Russia

Malicious Microsoft Word Doc - Process Graph
Figure 2 – Process Graph of the Malicious Microsoft Word Document

Static lookup alone would not be able to detect this threat. Even a full static analysis would not provide any information about the code injection or network traffic that we uncovered during dynamic analysis.