Enes AdışenFollowSystem Weakness--ListenShareIn this write up I will briefly try to explain the Malicious Doc challenge from letsdefend.io. You can see the challenge here.Analyzing a potentially malicious Word document requires a cautious approach to protect your system from harm and the most crucial step is preparing a secure environment that isolates the document. So, you shouldn’t open the file in your local environment.Most of the time, VirusTotal, any.run and hybrid-analysis.com should be your best friends during the process.A file hash is a unique signature for data that helps to identify it in a verifiable way. Getting the hash value of a malicious file is important as it allows for easy identification and comparison to known hashes, aiding in malware detection and prevention.If you have downloaded the file onto your protected environment and, you may want to learn the hash value of the document. You can simply do this in Windows environment from powershell using Get-FileHash.Output:As you can see, “05c137d8e79ce59ed6e4b7cd78e5b8a2” is the obtained md5 hash.Although this method is quite simple and usable, I prefer to upload the file directly to virustotal. All the hash values of the file can be seen in VirusTotal analysis. We will come to that in the next section.For further investigation, you can use virustotal without having to test the program in your own environment. Go to virustotal.com and search the hash code we obtained or upload the file directly.You can see that 42 vendors and 2 sandbox results report that the file is malicious. This shows that our suspicions were correct and the file is not innocent.You can also see the result of each vendor individually.Now we know the file is malicious and we know the hash value. With the knowledge we’ve gained so far, we can answer the first question.Q1: What type of exploit is running as a result of the relevant file running on the victim machine?Answer: Although each vendor has its own naming conventions and detection algorithms for identifying and categorizing malware or suspicious files, you should pay attention to the word “rtf”. It’s mentioned in many lines, and it’s also the first tag we come across at the top of the VirusTotal report. (Screenshot below.)So also using the hint provided by letsdefend.io ({rtf.yyyyyyy}), we can say the type of exploit is running as a result of the relevant file running on the victim machine is rtf.exploit.After that, we can go to details section to get more info about the file.Here you can see the detailed properties of the document, including the hash, if you don’t know it yet. These basic attributes might allow you to further identify the file being studied.File appears to be an RTF document created with Microsoft Office, containing text and possibly formatted content. Magic (file signature) indicates that it is a Rich Text Format data, version 7. TrID analysis identifies it as a Rich Text Format file with 100% certainty.Continuing with the next question.Q2: What is the relevant Exploit CVE code obtained as a result of the analysis?Answer: We can easily find the CVE code exploited by the file from the virustotal report. If you check the “Security vendors’ analysis” section again, you will see that most of them mentioned CVE-2017–11882. So the answer is CVE-2017–11882.Tools we’ve used up to this point provided an overview of the file’s static characteristics and information, rather than behavioral analysis. We focused on static indicators and metadata about the file, such as hash values, file size, detection ratio etc. To answer the following questions, we need to be able to analyze the behavior of the malware.The “Behavior” part in a VirusTotal report shows us the malicious file’s activities and interactions during execution. It includes information on system interactions, process behavior, network communication, and potentially malicious actions.Q3: What is the name of the malicious software downloaded from the internet as a result of the file running?Answer: We check that from “HTTP requests” part under “Network Communication”.Presence of the HTTP request suggests that the file initiated a connection to the specified URL and attempted to download the file named “jan2.exe.” So the answer is jan2.exe.Q4: What is the ip address and port information it communicates with?Answer: The “IP traffic” part, which you can see in the same screenshot above reveals the answer to this question. The file’s network activity shows communication with the IP address “185.36.74.48” on port “80” using the TCP protocol. So the answer is 185.36.74.48:80Q5: What is the exe name it drops to disk after it runs?Dropped files are interesting files written to disk during sandbox execution. You can check them from “Files written” part in the “behavior” section or you can check “dropped files” in “relations” section. I used the first option.You can see that it writes an exe file named “aro.exe” to “%APPDATA%\” after the execution. So the answer is aro.exe.----System WeaknessEnes Adışen--Mr JokarinSystem Weakness--3Diego TellaroliinSystem Weakness--15Enes Adışen--0xMrRobot--Investigator515--Blchchig0--Taha Rabie--Thomas RocciainSecurityBreak--8Berk Yanadur--1HelpStatusWritersBlogCareersPrivacyTermsAboutText to speechTeams