The number of online threats increases every year. Phishing attacks, for example, are growing more sophisticated and are often prepared in such a way that it is very difficult to distinguish a malicious message from a legitimate one. Analysts are often challenged with determining whether a file, such as a file sent to an email address, is malicious or not. If the file does turn out to be malicious, the next questions are what are the contents and what task is it supposed to perform?

When it comes to analyzing potentially malicious files, distributions that are adapted to malware analysis come in handy. The REMnux forensic toolkit and SIFT Workstation, for instance, are examples of toolkits designed for digital forensics tasks.

What Is It?

I'll show you an example of how an investigator might analyze a potential malware file. The Qbot malware is often used to attack user mailboxes. Qbot, which is also known as Qakbot, is a banking Trojan that has been around for over a decade. The first version was found in 2007. Since then, it has been constantly maintained and developed.

The Qbot campaign I will analyze for this article was sent in 2021 and delivered in three versions: via a link, an attachment, and a graphic element displaying a malicious URL in the message. After clicking on the malicious link, the user is redirected to the page with the malicious archive. The archive contains a malicious Excel (.xlsb) file.

In this case, the archive has the filename eqlauo-lsneeqtutninnui-o.zip.

The best way to start the file identification is with the sha254sum command [1]; the command checks the checksum of the file. Malware transforms into new versions very quickly and efficiently, and the way it is delivered can vary. With each download, even from the same URL, you might receive a file with a different checksum, which makes signature-based detection difficult. However, it is worth trying a checksum just in case. Having the checksum will also help you organize the analysis and create a report. The file signature will allow you to check the file on the VirusTotal platform [2]:

sha256sum eqlauo-lsneeqtutninnui-o.zip
3D1386A83BCAA67760B861C106FE44B8A141D9872D49C879A59EA10594EBF0FDeqlauo-lsneeqtutninnui-o.zip

When you unpack the archive, you will get a file named NK-1545671800.xlsb (Figure 1), which you can also get a checksum for using sha256sum:

sha256sum NK-1545671800.xlsb
9eaca5539a69a0de18e26aa81044eef3fa151a0caae5fa58f08b23af79fd7801NK-1545671800.xlsb

Figure 1: Malicious Excel file NK-1545671800.xlsb.

The file command [3] and TrID [4] will come in handy when identifying a file. TrID identifies file types based on their signatures. You will get the results in percentages ordered from most likely to least likely (Listing 1). This is very helpful because the selections that TrID gives you are sometimes more accurate than those offered by other signature-based tools.

trid NK-1545671800.xlsb
TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello
Definitions found:  13923
Analyzing...
Collecting data from file: NK-1545671800.xlsb
 62.2% (.XLSB) Excel Binary workbook (93021/2/14)
 22.7% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
 11.7% (.ZIP) Open Packaging Conventions container (17500/1/4)
  2.6% (.ZIP) ZIP compressed archive (4000/1)
  0.6% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)

The file command helps determine the file type. The command ignores the file extension and instead runs a series of tests to identify the file:

file NK-1545671800.xlsb
NK-1545671800.xlsb: Microsoft Excel 2007+

Listing 1 tells us that the file is most likely an .xlsb file, which is an Excel Binary Spreadsheet, so I turn my attention to another tool called ExifTool [5]. The ExifTool utility is a Perl framework written by Phil Harvey that was originally designed to extract the Exif content from image files. You can use ExifTool to view metadata from both photos and .xlsb files (Listing 2).

exiftool NK-1545671800.xlsb
ExifTool Version Number         : 12.16
File Name                       : NK-1545671800.xlsb
Directory                       : .
File Size                       : 124 KiB
File Modification Date/Time     : 2022:01:25 02:58:56-05:00
File Access Date/Time           : 2022:02:22 08:33:10-05:00
File Inode Change Date/Time     : 2022:02:07 09:17:53-05:00
File Permissions                : rw-r--r--
File Type                       : XLSB
File Type Extension             : xlsb
MIME Type                       : application/vnd.ms-excel.sheet.binary.macroEnabled
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x322badb4
Zip Compressed Size             : 596
Zip Uncompressed Size           : 3778
Zip File Name                   : [Content_Types].xml
Creator                         : Admin
Last Modified By                : Admin
Create Date                     : 2015:06:05 18:19:34Z
Modify Date                     : 2022:01:25 07:50:09Z
Application                     : Microsoft Excel
Doc Security                    : None
Scale Crop                      : No
Heading Pairs                   : ?????, 4, ??????? Excel 4.0, 8
Titles Of Parts                 : Sheet, CCwdbuk1, Sssssbvr1, Sssssbvr2, GERGEGSFWG, Vuk1, Vuk2, Vuk3, Vuk4, Vuk5, Vuk6, Vuk7
Company                         :
Links Up To Date                : No
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0300

In Listing 2, one of the more interesting results is the names of the sheets, which are revealed in Titles Of Parts. This information might be useful in the next stages of the analysis. The names of these sheets look a bit suspicious, so it's worth going back to it.

Once I have identified the file and I know that it is an Excel document, I can analyze the contents of the file. I will use the XLMMacroDeobfuscator tool [6]. You can use XLMMacroDeobfuscator to decode macros in XLM files, also known as Excel 4.0 macros. The tool supports .xls, .xlsm, and .xlsb formats. For the analysis, I'll use the following command:

xlmdeobfuscator -f NK-1545671800.xlsb

The output is shown in Figure 2.

Figure 2: Decoding macros with XLMMacroDeobfuscator.

An alternative to the XLMMacroDeobfuscator tool is zipdump.py [7]. Use the -s switch to specify an index and the -d switch for a raw dump. Extract the file at index 3 from the .pptx file to STDOUT.

I'll follow zipdump.py with a string command that encodes the data; the l option means 16-bit little endian:

zipdump.py eqlauo-lsneeqtutninnui-o.zip -s 6 -d | strings --encoding=l

The results of this command are shown in Figure 3.

Figure 3: zipdump.py results.

Enabling macros in an Excel document would result in running an XLM macro (Excel 4.0). The dangerous macro is triggered by the auto_open event, which refers to one of the hidden sheets containing the malicious code. Sheets can be seen during the analysis using ExifTool tool (see Listing 2): Sheet, CCwdbuk1, Sssssbvr1, Sssssbvr2, GERGEGSFWG, Vuk1, Vuk2, Vuk3, Vuk4, Vuk5, Vuk6, and Vuk7. The analysis with XLMMacroDeobfuscator reveals that, by calling the function Kernel32.CreateDirectoryA("C:\Rimta"), the Rimta folder is created on the C: drive, to which three files named uxx1.ocx, uxx2.ocx, and uxx3.ocx are copied using the URLDownloadToFileA() function. The analysis also reveals some of the indicators for this attack, including links where the malicious .ocx files will be downloaded: elmamamobil[.]com, irrigakit.com[.]br, lms.chavest[.]com.

Conclusion

Most experienced users today are aware that it is better not to click on a file if you don't know what it is. However, the tools that will help you determine what it is are less widely known. This article described some of the tools investigators use to probe the contents of a file without clicking on it. Nowadays, such skills are very useful.