Remote Working

In this LetsDefend challenge, I was provided with an XLS file to analyze. Just to preface the work I would be doing, I did a quick search of the purpose of .XLS files and recovered that XLS is a format for Microsoft Excel workbooks. I could plan to be dealing with some form of exploit dealing with tables, charts, formulas or external data connections.

I downloaded the compressed folder of interest, called "ORDER_SHEET_SPEC.zip" which contained "ORDER SHEET & SPEC.xlsm." Before using resources to tell me if it was malicious, I wanted to see the file in action by opening it in a sandbox.

Upon opening the Excel file in AnyRun, a number of malicious processes began appearing. First off, the Excel executable itself generated a direct child process call "cscript.exe." Looking deeper into this child process showed that it initiated a secure HTTPS connection with a Brazilian IP/domain, called "multiwaretecnologia[.]com[.]br." It also executed two separate scripts that ran when opening the file.

Most important, however, was a parent Equation Editor process that was executed. We had seen this malicious executable before, associated with CVE-2017-11882, which is an exploit of Microsoft Office service packs that allow an attacker to run arbitrary code on behalf of a user by failing to properly handle objects in memory.

Understanding the history and functions of the malicious file helped guide my data collection. Based on VirusTotal and Hybrid Analysis results, the file itself has been reported overwhelmingly malicious by many security vendors. I noted the date of its creation as one of my objectives for this challenge, which was 2020-02-01.

For my next objective, I documented that Bitdefender had identified the file as "Trojan.GenericKD.36266294."

The malicious file subsequently dropped 5 different files onto the disk, 3 of which would be of importance for this investigation. I took note of the file "image.emf." .EMF files, I discovered, are Enhanced Windows Metafiles that store 32-bit RBG image data in records that are then rendered by an output to a printer when processed. I documented the SHA-256 hash of this file.

The final objective of this challenge was to identify the exact URL that the malicious file contacts in order to download additional spyware. From our previous VirusTotal scan, I identified that the source was "https://multiwaretecnologia[.]com[.]br/js/Podaliri4.exe."