Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Analyzing PDF Malware - Part 3C

Let me explain, no there is too much, let me sum up…

This is part 3C in the ongoing saga of the Analyzing PDF Malware series. If you haven't read any of the preceding posts you can find them all right here: Part1, Part2, Part3A  and Part3B. We will be building off our analysis from those posts. This post contains two embedded videos. The videos are best viewed in full screen HD mode.

...

We statically analyzed the previously extracted and deobfuscated shellcode in Part3B. Today's goal is to analyze the same shellcode, but this time we will be running the code in a sandboxed virtual environment using distinct methods and employing a variety of tools. These methodologies will be demonstrated through embedded videos complete with techno music which is obviously required for all such demos.

The Hamster Wheel…

Since we cannot just purely execute the shellcode in its current form, we need to first do a bit of work to prepare. I mentioned some tools for creating a standalone executable from shellcode in this excerpt from Part3A:

There are helpful resources floating around out there both as a web service, or if your code is potentially sensitive, as a stand-alone script.

One of the benefits of dynamic analysis is that we don't necessarily need to deobfuscate the shellcode to run it. The code needs to decode itself to actually run, so we can leave that tedious work to the malware. We don't specifically care about the syntactic code itself, but rather in the resulting behaviors demonstrated by that code. It is a very subtle viewpoint shift. Ultimately it can often result in getting answers more quickly than through static analysis. *fair warning* Ok, that being said, it should be noted that dynamic analysis without some form of additional static analysis follow-up could potentially leave functionality undiscovered, such as conditional branches that rely on specific environment triggers or command line arguments. If you are anything like me, those "what-if" questions may tend to drive you crazy. The point is, dynamic analysis is only one view into a piece of malware and it is often an incomplete view at that.

On with the show…

We have extracted a significant amount of valuable information from our static analysis using IDA. Now let's circle back as promised to see the code run dynamically in a sandboxed virtual machine. During this analysis we can confirm the previously identified functionality, as well as look for new clues or any additional bits of "interesting". Yes, I just nouned an adjective. If you completed the assigned task of creating a PE wrapper for the shellcode, we can simply execute the binary while running a collection of monitoring tools inside our VM as shown in the following video.

 


Vid1. - PDF Shellcode analyzed within a Virtual Machine (click fullscreen for detail)

 

We can dig even deeper by loading up that same binary into a debugger, setting break points at key instructions that we hand picked from our static analysis (Part3B), and inspecting the registers and memory locations along the way as demonstrated in the video that follows.

 


Vid2. - PDF Shellcode debugging within a Virtual Machine (click fullscreen for detail)

 

That was fun…

The previous videos absolutely confirm our findings gathered during the inspection of the disassembled code. By popping up the calculator application 'calc.exe' within our virtual environment we know that additional unknown malware is being actively downloaded from a specific domain and is masquerading itself as a temporary PHP file in the local system cache. The shellcode then executes that newly downloaded file before terminating itself. So what is the shellcode actually trying to download? What does that new binary try to do on our system? In the next post of the Analyzing PDF Malware series we will investigate exactly those questions. Until then…

--@Rnast

Tools Used:

  • Ollydbg - OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows.
  • Inetsim - Internet Services Simulation Suite
  • CaptureBAT - A behavioral analysis tool of applications for the Win32 operating system family.
  • ApateDNS - ApateDNS is a tool for controlling DNS responses though an easy to use GUI.

Latest SpiderLabs Blogs

Network Isolation for DynamoDB with VPC Endpoint

DynamoDB is a fully managed NoSQL database service offered by Amazon Web Services (AWS). It is renowned for its scalability, dependability, and easy connection with other AWS services....

Read More

The Underdog of Cybersecurity: Uncovering Hidden Value in Threat Intelligence

Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy....

Read More

Clockwork Blue: Automating Security Defenses with SOAR and AI

It’s impractical to operate security operations alone, using manual human processes. Finding opportunities to automate SecOps is an underlying foundation of Zero Trust and an essential architecture...

Read More