Some day ago I received an email in an unmarked Gmail mail box. It was a clear Phishing email, but what catched my eyes has been a Password reported into the email's body and the attachment. It was a Microsoft Word file with ".docx" extension.
The first question that I asked to myself was: "Why this file wasn't dropped from Google security check?".
I decided to analyze the attachment and investigate about the sender.
First of all, I opened the attachment and putted into the password reported into the email's body. Opened, it had only three icons that looks like word's icons.
It doesn't makes sense! No text, no request to enable macro on startup.
The total words catch my eye. As you can see into the red circle, they were 369 words, but the document didn't had text, only 3 image's icons.
Double click on the image and I discovered the secret. The macro, VBScript, is embedded within it!
"What?! A macro into an image?!...You are a fucking genius!!" I Thought.
The answer of my question was behind the right-click. Who created this document used Packager Shell Object to embed the VBScript content.
The VBScript was obfuscated, but not in a hard way.
- the first one had extension ".viv"
- the second one had extension ".qde"
"JAy0D" function reads from file ".qde" and write into the file ".viv".
The snippet code reported below shows the resource that the dropper has to download, file with extension ".pkg".
Using whois protocol, I retrieved domain's information. Is useful to note that this domain is protect by privacy policy agreement.
File format ".pkg" is an installation file used by Apple in its Operating System.
Was impossible to download "tmp.pkg" file. The server gave error 404 Not Found.
Another resource that has to be downloaded is a file ."jpt".
JPT format file (JPEG-PNG-Type) takes advantage of the compression ratio from JPEG and PNG at the same time.
The main image is stored in JPEG while the alpha channel is stored in a PNG file as a gray scale.
While the PNG file can be 32 bit, 24 bit, 8 bit or even palette based, it is recommended to use
only 8 bit or palette based images in order to save space and actually take advantage of the JPT
format.
The next step was to analyze this file.
There I discovered the home page where this library come from.
It was hosted in a github page that it is not longer available.
From the page, I was able to recovery the developer's name "Jake J. Davis" and thanks to Google Cache, part of his GitHub account.
Another analysis I did was the email's header. Here we can read sender's PC name connected to the server.
Hey! Bruce, remember: "The first Internet's rule is: Stay Stealth"! 👀
CONCLUSION and HESITATIONs:
Something doesn't seems clear.
- File PKG is not reachable.
- JTP file doesn't seems to be JTP's format.
- This VBScript works only on Windows OS and it acts as a dropper to download other resources. It also use windows like commands ("cmd.exe") to perform some checks ("ping 8.8.8.8");
- If everything seems wrote for Windows OS, why it has to download file that works on Mac OS?
In conclusion: Given all these inconsistencies, many questions are still outstanding and this leave us two options, everything is part of a bigger project or the one who created these files is a newbie?
Thanks to my colleague for the support provided! ☺
Can you share a sha256 of the sample(s) you've analysed here?
ReplyDeletey85kp46kx1jl32j9d.docx
ReplyDeleteMD5: a43cbb141df9aef6b77ecb6ab5d27dda
SHA256: 9740cc8e0de64f8bc1fd0f7afb8c3b9782cfe8c87bf8a580a47b0f7afc92f357
img.jpt
MD5: c95a7f3fdde60fce15bfa74ed87b62ce
SHA256: 037491839724011c6f02e5cfd3790e05329f9c18888c7e9ad2c9e8558d7f968b