Featured Image

Trojan Dropper: O97M/Farheyt (Stage 1)

Two days after my last blog post I received the following email. It was the first time ever that I received such an email with a malicious document at any of my @evild3ad.com email addresses…and it’s Vawtrak again. 😉

EmailFig. 1: E-Mail w/ malicious attachment (W97M)

Malicious Word Document
Fig. 2:
Content of malicious W97M document (PNG only, no text)

VirusTotal: 8/55 Report

Metadefender: 4/43 Report

Download: order_36557780.doc.zip (password is infected)

oledumpFig. 3: The size of stream 12 looks suspicious

oledump_stream12Fig. 4: Embedded PE file which will dropped to %temp% as t2.gif

contains_pe_file.yaraFig. 5: Detect a PE file inside a byte sequence (YARA rule)

pe-carv.pyFig. 6: Extract the embedded PE file w/ pe-carv.py

psparser.pyFig. 7: Detect and extract the embedded PE file w/ psparser.py

Document-Inspector1.pngFig. 8: Fingerprinting and check via VirusTotal and Metadefender

Document-Inspector2Fig. 9: Analyzing w/ oletools

Document-Inspector3Fig. 10: Analyzing extracted Strings

Document-Inspector4Fig. 11: Analyzing w/ psparser.py and YARA

Document-Inspector5Fig. 12: Checking submissions to public sandboxes

Document-Inspector6Fig. 13: PCAP Analysis

Links:
VirusTotal – Malicious Document
Metadefender – Malicious Document
VirusTotal – Carved Executable (Fareit aka Pony)
VirusTotal – Downloaded Executable (Vawtrak aka Neverquest)
Didier Stevens – YARA rules
Phishme – Using RTF Files as a Delivery Vector for Malware
Phishme@GitHub – psparser.py