Скачать или смотреть Malicious Document Analysis Excel Sample #4

In this video tutorial, we analyse an Excel document for IOC's (Indicators of Compromise). We utilise 2 VM's (Virtual Machines) connected on a Host-Only network (Can't connect to the internet). So the malware sample, can't infect your own computer, this is a critical step when analysing malware in your own virtualised lab.



FlareVM Utilities

sha256sum.exe - For fingerprinting (hash value) and checking against the VirusTotal database.

md5sum.exe - For fingerprinting (hash value) and checking against the VirusTotal database.

file - To determine file type (malicious actor may hide true file type for social engineering reasons).

oleid - To determine if file is OLE (Object Linking and Embedding) format or not, so you can utilise ole tools.

oledir - To display the directory structure.

oledump - To display directory structure, streams and macros.

olevba - To display VBA Macros and even decode/decrypt.

officemalscanner - scans Microsoft Office documents for malicious artifacts


Shortcut Commands Used

Ctrl A - Places cursor at the beginning of the prompt.

Ctrl E - Places cursor at the end of your typed command/query.

Ctrl U - Deletes content preceding cursor, up to the beginning of the prompt.

Ctrl L - Clears the screen.

Up Arrow - Iterates through command history

Ctrl Alt T - Open a new Terminal.


Tools Used

Cmder - Terminal comprising both Windows/Linux commands/utilities.

Wireshark - Network analysis and Packet Capture application.

TCPView - Network connections (TCP/UDP) associated with corresponding processes.

Process Hacker 2 - Process analysis/visibility application.

Notepad - For making notes whilst performing analysis.


Sample Used

Visit: https://bazaar.abuse.ch/browse/

To search for malware samples on the repository, the format used is as follows;


Hashing Algorithm(i.e. md5/sha256) followed by : Hash Value



Example;

md5:300a33947c0895fcd12fc173244ed072

or

sha256:fdd119239aec05e43b560b3aaf43d683e0e81085520feebacb724db64bba8367


Tips/Advice

Be inquisitive and try to figure things out for yourself.

Conduct your own research by utlising the plethora of sources/tools available.

Google/Youtube if you are stuck or unsure about something.

Set up a virtualised lab enviroment to perform your own malware analysis.

Utilise virtualisation software (VMWare/VirtualBox etc).

Utilise pre-configure VM's (FlareVM/Remnux etc).

Always ensure when starting your VM's the network adapters are set to Host-Only.

Be brave! nothing is unattainable, if you apply yourself correctly.


When downloading/analysing malware, it's critical to know what you are doing. If you are not confident in your abilities at this juncture, be prudent and work on your foundational knowledge (OS Systems, Networking, Security etc) instead.

Literally, it's best to be safe than sorry.

The repository link above contains real malware samples from the wild. They all, will almost certainly, do untold damage to your systems (Computers/Network), and even yourself as an individual, if not handled correctly.