Malspam with password-protected Word documents
Introduction
On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as:
- Fwd:Ticket k29y729n71c52h692o53171
- ReTicket 985v49f155t06g78v412a3n382
- Fwd:Ticket 048f1v00u98
- ReTicket y18k9178280
- Ticket p574v892f453b467
- Ticket e26099p58v65x073
- ReInquiry 9l48o77
- Inquiry m70q200kd80
- ReInquiry t63j288d271f997b083a57c547
- ReInquiry f514f830p417n06h5150s036r838
An example of the message text:
Check the payment report created for [recipient's email address] as you just ordered.
You may need Doc Passcode: [string of alphanumeric characters]
[fake sender's name]
The attached Word documents were approximately 70 kB in size and password-protected. The document file names started with the string of alphanumeric characters from the subject line followed by the recipient's email address. File names all ended with the .docx file extension.
This diary documents my investigation into this wave of malspam. We're always thankful for people who submit samples of emails and malware like this to the ISC.
The email
The email appeared somewhat common for most malspam we see. People sometimes think if malsapm has the recipient's name in the email, it must be targeted. However, that's often not the case. This type of malspam is easily automated, and it can seem convincing when the recipient's email address is formatted as firstname.lastname@company.com.
Shown above: An example of the malspam.
The attachment
The document would only open after using the password from malspam it was attached to. This tactic typically allows the document to bypass detection in anti-virus tools. Searching VirusTotal for the Word document showed 0 of 56 detections when I checked the file later that day.
Shown above: Request for the attached document's password.
The document had three embedded objects that were supposedly Word documents. Dragging and dropping the objects onto the desktop revealed these were the same Visual Basic Script (VBS) file. The file name had several spaces before the .vbs file extension in an attempt to hide the true nature of the file.
Shown above: The embedded objects were a VBS file.
The VBS script was obfuscated, so its purpose was not immediately apparent.
Shown above: Text from the embedded VBS file.
The traffic
Executing the VBS file on a Windows host in my lab generated HTTP traffic. This is typically an attempt to download additional malware like a Windows executable or DLL file. Unfortunately, by the time I checked it, the URL returned a 404 Not Found error.
Shown above: Traffic generated by the .vbs file.
I searched reverse.it (also available as Payload Security on hybrid-analysis.com) and found 21 items submitted on Monday 2017-03-20 associated with the domain. Most were other documents from the same type of malspam. Two were attempts to analyze an extracted .vbs file. One was a query to the callback URL. None of these examples made it any farther than I did.
NOTE: Getting these search results on reverse.it requires a login. The accounts are free and only require a name, email, and password.
Shown above: Search results on reverse.it (hybrid-analysis.com) for the callback domain.
Indicators of compromise (IoC)
The following indicators are associated with today's malspam example:
Password-protected Word document:
- SHA256 hash: 146772487e4f4453055f80f40039ad1ce6c82a32a94d82a8c5bd228f4bcb4dcc
- File size: 70,656 bytes
- File name: f514f830p417n06h5150s036r838[recipient's email address].docx
Word document with password-protection removed:
- SHA256 hash: 2792084dcd04a51bde167afb59a912a5ae82adb33720fb0f25a10be9d08d2e12
- File size: 64,938 bytes
VBS file embedded in the Word document:
- SHA256 hash: 4cc6e847ada0ebe30d88d93b07c58024380626295d43135ca161473d0cd20cb9
- File size: 9,583 bytes
- File name: MS Word Document.docx .vbs
Traffic generated by the VBS file:
- 184.154.24.34 port 80 - indigopoolandoutdoor.com - GET /log.pkp
Final words
Last week, someone at cysinfo.com blogged about similar malspam designed to infect Windows hosts with an Ursnif banking Trojan. This type of password-protection technique in malspam attachments is nothing new. I've certainly seen it before, and some creative Google searching will reveal this started years ago. However, I haven't seen much about this in public forums lately.
Most security professionals assume we all know about it, so it doesn't usually make any headlines. I advise people this is still a thing.
Of course, properly-administered Windows hosts are far less vulnerable to this type of infection. The hosts I use in my lab environment are a different story. If anyone knows of someone who was actually infected from one of these password-protected documents, please share your tale in the comments.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments
Anonymous
Mar 21st 2017
7 years ago
https://technet.microsoft.com/en-us/library/cc179125.aspx
As you mentioned each file (and we can assume password too) is customized per payload per email, hence classifying one email or document as malicious in a IDS/IPS/firewall / email filtering system or VirusTotal does not help identify other malicious payloads, because they look completely different.
Anonymous
Mar 21st 2017
7 years ago
https://technet.microsoft.com/en-us/library/cc179125.aspx
As you mentioned each file (and we can assume password too) is customized per payload per email, hence classifying one email or document as malicious in a IDS/IPS/firewall / email filtering system or VirusTotal does not help identify other malicious payloads, because they look completely different.[/quote]
That's a good point. The encrypted version is certainly a different set of bytes than the unencrypted version.
Anonymous
Mar 21st 2017
7 years ago
If you can share what Lab Env. you set up to execute Malicious documents so that we can have the similar set up.
Thank you
Anonymous
Mar 21st 2017
7 years ago
By the way, Brad, I saw your presentation at the EISC a couple weeks ago. Good stuff.
Anonymous
Mar 21st 2017
7 years ago
@Jeff: That's a good policy to set for inbound email. Thanks for the kind words!
Anonymous
Mar 21st 2017
7 years ago
I've got a sample from a few weeks ago. I believe it's ransomware.
Anonymous
Mar 21st 2017
7 years ago
I've got a sample from a few weeks ago. I believe it's ransomware.[/quote]
@m0nst3r, if you submit it through our contact page, someone might be able to look at it. Thanks!
Anonymous
Mar 22nd 2017
7 years ago
Anonymous
Mar 22nd 2017
7 years ago
Anonymous
Mar 22nd 2017
7 years ago