Quick malware analysis with Linux tools
Peek Inside
Forensic experts can't just delete a sketchy file – sometimes the challenge is to see what is in it without triggering an attack. Learn about some of the tools investigators use for analyzing suspicious files.
The number of online threats increases every year. Phishing attacks, for example, are growing more sophisticated and are often prepared in such a way that it is very difficult to distinguish a malicious message from a legitimate one. Analysts are often challenged with determining whether a file, such as a file sent to an email address, is malicious or not. If the file does turn out to be malicious, the next questions are what are the contents and what task is it supposed to perform?
When it comes to analyzing potentially malicious files, distributions that are adapted to malware analysis come in handy. The REMnux forensic toolkit and SIFT Workstation, for instance, are examples of toolkits designed for digital forensics tasks.
What Is It?
I'll show you an example of how an investigator might analyze a potential malware file. The Qbot malware is often used to attack user mailboxes. Qbot, which is also known as Qakbot, is a banking Trojan that has been around for over a decade. The first version was found in 2007. Since then, it has been constantly maintained and developed.
The Qbot campaign I will analyze for this article was sent in 2021 and delivered in three versions: via a link, an attachment, and a graphic element displaying a malicious URL in the message. After clicking on the malicious link, the user is redirected to the page with the malicious archive. The archive contains a malicious Excel (.xlsb
) file.
In this case, the archive has the filename eqlauo-lsneeqtutninnui-o.zip
.
The best way to start the file identification is with the sha254sum
command [1]; the command checks the checksum of the file. Malware transforms into new versions very quickly and efficiently, and the way it is delivered can vary. With each download, even from the same URL, you might receive a file with a different checksum, which makes signature-based detection difficult. However, it is worth trying a checksum just in case. Having the checksum will also help you organize the analysis and create a report. The file signature will allow you to check the file on the VirusTotal platform [2]:
sha256sum eqlauo-lsneeqtutninnui-o.zip 3D1386A83BCAA67760B861C106FE44B8A141D9872D49C879A59EA10594EBF0FDeqlauo-lsneeqtutninnui-o.zip
When you unpack the archive, you will get a file named NK-1545671800.xlsb
(Figure 1), which you can also get a checksum for using sha256sum
:
sha256sum NK-1545671800.xlsb 9eaca5539a69a0de18e26aa81044eef3fa151a0caae5fa58f08b23af79fd7801NK-1545671800.xlsb
The file
command [3] and TrID [4] will come in handy when identifying a file. TrID identifies file types based on their signatures. You will get the results in percentages ordered from most likely to least likely (Listing 1). This is very helpful because the selections that TrID gives you are sometimes more accurate than those offered by other signature-based tools.
Listing 1
TriD Analysis
trid NK-1545671800.xlsb TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello Definitions found: 13923 Analyzing... Collecting data from file: NK-1545671800.xlsb 62.2% (.XLSB) Excel Binary workbook (93021/2/14) 22.7% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 11.7% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.6% (.ZIP) ZIP compressed archive (4000/1) 0.6% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
The file
command helps determine the file type. The command ignores the file extension and instead runs a series of tests to identify the file:
file NK-1545671800.xlsb NK-1545671800.xlsb: Microsoft Excel 2007+
Listing 1 tells us that the file is most likely an .xlsb
file, which is an Excel Binary Spreadsheet, so I turn my attention to another tool called ExifTool [5]. The ExifTool utility is a Perl framework written by Phil Harvey that was originally designed to extract the Exif content from image files. You can use ExifTool to view metadata from both photos and .xlsb
files (Listing 2).
Listing 2
Viewing Data with ExifTool
exiftool NK-1545671800.xlsb ExifTool Version Number : 12.16 File Name : NK-1545671800.xlsb Directory : . File Size : 124 KiB File Modification Date/Time : 2022:01:25 02:58:56-05:00 File Access Date/Time : 2022:02:22 08:33:10-05:00 File Inode Change Date/Time : 2022:02:07 09:17:53-05:00 File Permissions : rw-r--r-- File Type : XLSB File Type Extension : xlsb MIME Type : application/vnd.ms-excel.sheet.binary.macroEnabled Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x322badb4 Zip Compressed Size : 596 Zip Uncompressed Size : 3778 Zip File Name : [Content_Types].xml Creator : Admin Last Modified By : Admin Create Date : 2015:06:05 18:19:34Z Modify Date : 2022:01:25 07:50:09Z Application : Microsoft Excel Doc Security : None Scale Crop : No Heading Pairs : ?????, 4, ??????? Excel 4.0, 8 Titles Of Parts : Sheet, CCwdbuk1, Sssssbvr1, Sssssbvr2, GERGEGSFWG, Vuk1, Vuk2, Vuk3, Vuk4, Vuk5, Vuk6, Vuk7 Company : Links Up To Date : No Shared Doc : No Hyperlinks Changed : No App Version : 16.0300
In Listing 2, one of the more interesting results is the names of the sheets, which are revealed in Titles Of Parts
. This information might be useful in the next stages of the analysis. The names of these sheets look a bit suspicious, so it's worth going back to it.
Once I have identified the file and I know that it is an Excel document, I can analyze the contents of the file. I will use the XLMMacroDeobfuscator tool [6]. You can use XLMMacroDeobfuscator to decode macros in XLM files, also known as Excel 4.0 macros. The tool supports .xls
, .xlsm
, and .xlsb
formats. For the analysis, I'll use the following command:
xlmdeobfuscator -f NK-1545671800.xlsb
The output is shown in Figure 2.
An alternative to the XLMMacroDeobfuscator tool is zipdump.py
[7]. Use the -s
switch to specify an index and the -d
switch for a raw dump. Extract the file at index 3 from the .pptx
file to STDOUT.
I'll follow zipdump.py
with a string command that encodes the data; the l
option means 16-bit little endian:
zipdump.py eqlauo-lsneeqtutninnui-o.zip -s 6 -d | strings --encoding=l
The results of this command are shown in Figure 3.
Enabling macros in an Excel document would result in running an XLM macro (Excel 4.0). The dangerous macro is triggered by the auto_open
event, which refers to one of the hidden sheets containing the malicious code. Sheets can be seen during the analysis using ExifTool tool (see Listing 2): Sheet
, CCwdbuk1
, Sssssbvr1
, Sssssbvr2
, GERGEGSFWG
, Vuk1
, Vuk2
, Vuk3
, Vuk4
, Vuk5
, Vuk6
, and Vuk7
. The analysis with XLMMacroDeobfuscator reveals that, by calling the function Kernel32.CreateDirectoryA("C:\Rimta")
, the Rimta
folder is created on the C:
drive, to which three files named uxx1.ocx
, uxx2.ocx
, and uxx3.ocx
are copied using the URLDownloadToFileA()
function. The analysis also reveals some of the indicators for this attack, including links where the malicious .ocx
files will be downloaded: elmamamobil[.]com
, irrigakit.com[.]br
, lms.chavest[.]com
.
Conclusion
Most experienced users today are aware that it is better not to click on a file if you don't know what it is. However, the tools that will help you determine what it is are less widely known. This article described some of the tools investigators use to probe the contents of a file without clicking on it. Nowadays, such skills are very useful.
Infos
- sha256sum: https://www.gnu.org/software/coreutils/sha256sum
- VirusTotal: https://virustotal.com
- file: https://darwinsys.com/file/
- TrID: https://mark0.net/soft-trid-e.html
- ExifTool: https://exiftool.org/
- XLMMacroDeobfuscator: https://github.com/DissectMalware/XLMMacroDeobfuscator
- zipdump.py: https://github.com/DidierStevens/DidierStevensSuite/blob/master/zipdump.py
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.
-
Linux Foundation Adopts OMI to Foster Ethical LLMs
The Open Model Initiative hopes to create community LLMs that rival proprietary models but avoid restrictive licensing that limits usage.
-
Ubuntu 24.10 to Include the Latest Linux Kernel
Ubuntu users have grown accustomed to their favorite distribution shipping with a kernel that's not quite as up-to-date as other distros but that changes with 24.10.
-
Plasma Desktop 6.1.4 Release Includes Improvements and Bug Fixes
The latest release from the KDE team improves the KWin window and composite managers and plenty of fixes.
-
Manjaro Team Tests Immutable Version of its Arch-Based Distribution
If you're a fan of immutable operating systems, you'll be thrilled to know that the Manjaro team is working on an immutable spin that is now available for testing.