PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link.
The malicious sample is available in abuse.ch
Screenshots
Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of excel)
Execution Flow:
Acrobat.exe (Latest version) -> Excel.exe (Tested on Excel 2010, CVE-2017–0199) -> 2url[.]one shorten url (Most probably download the payload)
Found that the pdf contains a /EmbeddedFile stream. Let’s checkout the stream then.
> If you just search the stream start offset via the Hex Editor, you will found some encoded bytes.
But if you googling the PDF file format, you will find that actually it is encoded and in this case /FlateDecode using zlib decompression.
Luckily, PDFStreamDumper will do that for you, so no worries on doing it manually each time :)
or you can use pdf-parser.py from Didier Stevens to dump out the stream.
python pdf-parser.py --search EmbeddedFile --raw --filter --dump <stream_output_path> <sus_pdf>You can try to verify it by extracting the Stream Start Offset (0x193a) — Stream End Offset(0xcc45) and decompress it with simple python code, zlib.decompress(data))
The header bytes d0 cf 11 e0 a1 b1 verify that the embedded file is a Microsoft Compound File (In this case it is a Excel file).
The excel file is encrypted (CDFV2 Encrypted) as we can see verify it based on its children files and folder.
The first thing appear on my mind was VelvetSweatshop. Since in 2020, there is a spam campaign that used such technique to deliver LimeRAT. Maybe we can try to decrypt it with msoffcrypto-tool from nolze or msoffcrypto-crack.py (which relies completely on nolze tool above) from Didier Stevens.
python msoffcrypto-crack.py <enc_xlsx> -o <dec_xlsx>
Based on the decrypted excel file (Microsoft Excel 2007+), it doesn’t contains any macro or any formula sheet. Then, I try to look into the xl folder for more info. In embeddings folder, oleObject1.bin really caught my attention. Then, I put it into HexEditor to look for any suspicious strings and I found the suspicious url that was called from the excel file itself, 2url[.]one (URL shortener). If you analyze it using oledump.py, 2url[.]one is located in \x01Ole stream.
The excel is utilizing CVE-2017–0199 to run URL COM object via Moniker Magic. However, it only targets older version of excel (Exploit works in Excel 2010 and it doesn’t work in Excel 2016).
It can be observed that the ieframe.dll/ iertutil.dll is loaded after the the malicious excel file is loaded and the exploit runs successfully, haven’t verify for this but it seems suspicious tho (Some IE stuffs in excel process).
Call stack in Windbg (right handside), from olerun -> urlmon -> wininet.
Also, a suspicious thread related to wininet.dll will be created too.
As for how the exploit works in detail, you may refer the pdf file below:
Some OSINT on VT
By tracking the shorten url in VT, it is redirected to the link below.
http://107[.]173[.]229[.]134/invoice/shp_441.doc
The link will download the file below, which is a RTF file that using another exploit.
c9e2821f3e10c7c2a012d0926f25826c402bd5a6a1e6a1879212b9241cfad8e
After the RTF exploit runs successfully, the final payload is downloaded, FormBook RAT.
4a620c143b7f0f825ad491d7b4f58e903064da24346b000aee31fe9cf5158b4e
After thoughts
Please update microsoft office software to the latest version to prevent those exploits. Since this is macro-less infection, once user open the file in vulnerable version of office software, the code will execute immediately. There won’t have a “Enable Macro” prompt to keep you alert :)
