[Mal Series #22] Weird Embedded PDF file
PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link.
The malicious sample is available in abuse.ch
Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of excel)
Acrobat.exe (Latest version) -> Excel.exe (Tested on Excel 2010, CVE-2017–0199) -> 2url[.]one shorten url (Most probably download the payload)
Found that the pdf contains a
/EmbeddedFile stream. Let’s checkout the stream then.
> If you just search the stream start offset via the Hex Editor, you will found some encoded bytes.
But if you googling the PDF file format, you will find that actually it is encoded and in this case
/FlateDecode using zlib decompression.
Luckily, PDFStreamDumper will do that for you, so no worries on doing it manually each time :)
or you can use pdf-parser.py from Didier Stevens to dump out the stream.
python pdf-parser.py --search EmbeddedFile --raw --filter --dump <stream_output_path> <sus_pdf>
You can try to verify it by extracting the Stream Start Offset (0x193a) — Stream End Offset(0xcc45) and decompress it with simple python code,
The header bytes
d0 cf 11 e0 a1 b1 verify that the embedded file is a Microsoft Compound File (In this case it is a Excel file).
The excel file is encrypted (CDFV2 Encrypted) as we can see verify it based on its children files and folder.
The first thing appear on my mind was
VelvetSweatshop. Since in 2020, there is a spam campaign that used such technique to deliver LimeRAT. Maybe we can try to decrypt it with msoffcrypto-tool from nolze or msoffcrypto-crack.py (which relies completely on nolze tool above) from Didier Stevens.
python msoffcrypto-crack.py <enc_xlsx> -o <dec_xlsx>
Based on the decrypted excel file (Microsoft Excel 2007+), it doesn’t contains any macro or any formula sheet. Then, I try to look into the
xl folder for more info. In
oleObject1.bin really caught my attention. Then, I put it into HexEditor to look for any suspicious strings and I found the suspicious url that was called from the excel file itself, 2url[.]one (URL shortener). If you analyze it using oledump.py, 2url[.]one is located in
The excel is utilizing CVE-2017–0199 to run URL COM object via Moniker Magic. However, it only targets older version of excel (Exploit works in Excel 2010 and it doesn’t work in Excel 2016).
It can be observed that the
iertutil.dll is loaded after the the malicious excel file is loaded and the exploit runs successfully, haven’t verify for this but it seems suspicious tho (Some IE stuffs in excel process).
Call stack in Windbg (right handside), from
Also, a suspicious thread related to
wininet.dll will be created too.
As for how the exploit works in detail, you may refer the pdf file below:
Some OSINT on VT
By tracking the shorten url in VT, it is redirected to the link below.
The link will download the file below, which is a RTF file that using another exploit.
After the RTF exploit runs successfully, the final payload is downloaded, FormBook RAT.
Please update microsoft office software to the latest version to prevent those exploits. Since this is macro-less infection, once user open the file in vulnerable version of office software, the code will execute immediately. There won’t have a “Enable Macro” prompt to keep you alert :)
PDF file format: Basic structure [updated 2020] - Infosec Resources
We all know that there are a number of attacks where an attacker includes some shellcode in a PDF document. This…