[Mal Series #22] Weird Embedded PDF file

PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link.

The malicious sample is available in abuse.ch

Screenshots

Screenshot of PDF file opened in Acrobat.exe

Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of excel)

Screenshot of the excel file

Execution Flow:

Acrobat.exe (Latest version) -> Excel.exe (Tested on Excel 2010, CVE-2017–0199) -> 2url[.]one shorten url (Most probably download the payload)

Process Tree: Acrobat.exe -> Excel.exe
PID Link of Acrobat.exe -> Excel.exe

Found that the pdf contains a /EmbeddedFile stream. Let’s checkout the stream then.

> If you just search the stream start offset via the Hex Editor, you will found some encoded bytes.

But if you googling the PDF file format, you will find that actually it is encoded and in this case /FlateDecode using zlib decompression.

Luckily, PDFStreamDumper will do that for you, so no worries on doing it manually each time :)

or you can use pdf-parser.py from Didier Stevens to dump out the stream.

python pdf-parser.py --search EmbeddedFile --raw --filter --dump <stream_output_path> <sus_pdf>

You can try to verify it by extracting the Stream Start Offset (0x193a) — Stream End Offset(0xcc45) and decompress it with simple python code, zlib.decompress(data))

Decoded streams in PDFStreamDumper

The header bytes d0 cf 11 e0 a1 b1 verify that the embedded file is a Microsoft Compound File (In this case it is a Excel file).

The excel file is encrypted (CDFV2 Encrypted) as we can see verify it based on its children files and folder.

Encrypted excel file

The first thing appear on my mind was VelvetSweatshop. Since in 2020, there is a spam campaign that used such technique to deliver LimeRAT. Maybe we can try to decrypt it with msoffcrypto-tool from nolze or msoffcrypto-crack.py (which relies completely on nolze tool above) from Didier Stevens.

python msoffcrypto-crack.py <enc_xlsx> -o <dec_xlsx>
Decrypted excel file

Based on the decrypted excel file (Microsoft Excel 2007+), it doesn’t contains any macro or any formula sheet. Then, I try to look into the xl folder for more info. In embeddings folder, oleObject1.bin really caught my attention. Then, I put it into HexEditor to look for any suspicious strings and I found the suspicious url that was called from the excel file itself, 2url[.]one (URL shortener). If you analyze it using oledump.py, 2url[.]one is located in \x01Ole stream.

The excel is utilizing CVE-2017–0199 to run URL COM object via Moniker Magic. However, it only targets older version of excel (Exploit works in Excel 2010 and it doesn’t work in Excel 2016).

CLSID of StdOleLink
Matched URL Moniker stream

It can be observed that the ieframe.dll/ iertutil.dll is loaded after the the malicious excel file is loaded and the exploit runs successfully, haven’t verify for this but it seems suspicious tho (Some IE stuffs in excel process).

The PID is different since I rerun the file again.

Call stack in Windbg (right handside), from olerun -> urlmon -> wininet.

olerun -> urlmon -> wininet

Also, a suspicious thread related to wininet.dll will be created too.

New thread related to wininet.dll is created.

As for how the exploit works in detail, you may refer the pdf file below:

Some OSINT on VT

By tracking the shorten url in VT, it is redirected to the link below.

http://107[.]173[.]229[.]134/invoice/shp_441.doc

The link will download the file below, which is a RTF file that using another exploit.

c9e2821f3e10c7c2a012d0926f25826c402bd5a6a1e6a1879212b9241cfad8e

After the RTF exploit runs successfully, the final payload is downloaded, FormBook RAT.

4a620c143b7f0f825ad491d7b4f58e903064da24346b000aee31fe9cf5158b4e

After thoughts

Please update microsoft office software to the latest version to prevent those exploits. Since this is macro-less infection, once user open the file in vulnerable version of office software, the code will execute immediately. There won’t have a “Enable Macro” prompt to keep you alert :)

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store