[Video] Analyzing a Malicious Microsoft Word Document
One of the key features in VMRay Analyzer 2.0 is the built-in reputation engine that identifies known malicious or known benign files in milliseconds. The addition of the reputation engine gives Incident Responders and Malware Analysts a powerful “One-Two” combination of rapid threat detection and detailed analysis of malware behavior.
To illustrate the benefits of a combined approach of both built-in reputation and dynamic analysis engines, we look to a malicious Microsoft Word document found by our team.
The video below features the Microsoft Word document returning an “Unknown” classification through static look-up and only 11/56 AV engines identifying the file as “Malicious” in VirusTotal. In contrast, the dynamic analysis engine returns a VMRay Threat Identifier (VTI) score of 100/100, an unequivocal “Malicious” classification.
VMRay Analyzer’s dynamic analysis engine allows the document to be executed in an unmodified target environment that can be a faithful duplication of the intended real-world victim machine. This is critical to evading malware detection as we wrote in our blog series on sandbox evasion.
Equally important, VMRay Analyzer’s User Interaction Simulation engine will perform actions the malware is expecting, such as enabling macros in this example. Only by enabling macros can the malware run and pull down a payload.
We are able to see all the malicious behaviors performed by the Word document such as:
• modifying a process running in memory (through code injection)
• control flow modification of known processes.
• downloading of payloads from a C2C (command and control) server in Russia
Static lookup alone would not be able to detect this threat. Even a full static analysis would not provide any information about the code injection or network traffic that we uncovered during dynamic analysis.