Quick malware analysis with Linux tools
Peek Inside
Forensic experts can't just delete a sketchy file – sometimes the challenge is to see what is in it without triggering an attack. Learn about some of the tools investigators use for analyzing suspicious files.
The number of online threats increases every year. Phishing attacks, for example, are growing more sophisticated and are often prepared in such a way that it is very difficult to distinguish a malicious message from a legitimate one. Analysts are often challenged with determining whether a file, such as a file sent to an email address, is malicious or not. If the file does turn out to be malicious, the next questions are what are the contents and what task is it supposed to perform?
When it comes to analyzing potentially malicious files, distributions that are adapted to malware analysis come in handy. The REMnux forensic toolkit and SIFT Workstation, for instance, are examples of toolkits designed for digital forensics tasks.
What Is It?
I'll show you an example of how an investigator might analyze a potential malware file. The Qbot malware is often used to attack user mailboxes. Qbot, which is also known as Qakbot, is a banking Trojan that has been around for over a decade. The first version was found in 2007. Since then, it has been constantly maintained and developed.
The Qbot campaign I will analyze for this article was sent in 2021 and delivered in three versions: via a link, an attachment, and a graphic element displaying a malicious URL in the message. After clicking on the malicious link, the user is redirected to the page with the malicious archive. The archive contains a malicious Excel (.xlsb
) file.
In this case, the archive has the filename eqlauo-lsneeqtutninnui-o.zip
.
The best way to start the file identification is with the sha254sum
command [1]; the command checks the checksum of the file. Malware transforms into new versions very quickly and efficiently, and the way it is delivered can vary. With each download, even from the same URL, you might receive a file with a different checksum, which makes signature-based detection difficult. However, it is worth trying a checksum just in case. Having the checksum will also help you organize the analysis and create a report. The file signature will allow you to check the file on the VirusTotal platform [2]:
sha256sum eqlauo-lsneeqtutninnui-o.zip 3D1386A83BCAA67760B861C106FE44B8A141D9872D49C879A59EA10594EBF0FDeqlauo-lsneeqtutninnui-o.zip
When you unpack the archive, you will get a file named NK-1545671800.xlsb
(Figure 1), which you can also get a checksum for using sha256sum
:
sha256sum NK-1545671800.xlsb 9eaca5539a69a0de18e26aa81044eef3fa151a0caae5fa58f08b23af79fd7801NK-1545671800.xlsb
The file
command [3] and TrID [4] will come in handy when identifying a file. TrID identifies file types based on their signatures. You will get the results in percentages ordered from most likely to least likely (Listing 1). This is very helpful because the selections that TrID gives you are sometimes more accurate than those offered by other signature-based tools.
Listing 1
TriD Analysis
trid NK-1545671800.xlsb TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello Definitions found: 13923 Analyzing... Collecting data from file: NK-1545671800.xlsb 62.2% (.XLSB) Excel Binary workbook (93021/2/14) 22.7% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 11.7% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.6% (.ZIP) ZIP compressed archive (4000/1) 0.6% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
The file
command helps determine the file type. The command ignores the file extension and instead runs a series of tests to identify the file:
file NK-1545671800.xlsb NK-1545671800.xlsb: Microsoft Excel 2007+
Listing 1 tells us that the file is most likely an .xlsb
file, which is an Excel Binary Spreadsheet, so I turn my attention to another tool called ExifTool [5]. The ExifTool utility is a Perl framework written by Phil Harvey that was originally designed to extract the Exif content from image files. You can use ExifTool to view metadata from both photos and .xlsb
files (Listing 2).
Listing 2
Viewing Data with ExifTool
exiftool NK-1545671800.xlsb ExifTool Version Number : 12.16 File Name : NK-1545671800.xlsb Directory : . File Size : 124 KiB File Modification Date/Time : 2022:01:25 02:58:56-05:00 File Access Date/Time : 2022:02:22 08:33:10-05:00 File Inode Change Date/Time : 2022:02:07 09:17:53-05:00 File Permissions : rw-r--r-- File Type : XLSB File Type Extension : xlsb MIME Type : application/vnd.ms-excel.sheet.binary.macroEnabled Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x322badb4 Zip Compressed Size : 596 Zip Uncompressed Size : 3778 Zip File Name : [Content_Types].xml Creator : Admin Last Modified By : Admin Create Date : 2015:06:05 18:19:34Z Modify Date : 2022:01:25 07:50:09Z Application : Microsoft Excel Doc Security : None Scale Crop : No Heading Pairs : ?????, 4, ??????? Excel 4.0, 8 Titles Of Parts : Sheet, CCwdbuk1, Sssssbvr1, Sssssbvr2, GERGEGSFWG, Vuk1, Vuk2, Vuk3, Vuk4, Vuk5, Vuk6, Vuk7 Company : Links Up To Date : No Shared Doc : No Hyperlinks Changed : No App Version : 16.0300
In Listing 2, one of the more interesting results is the names of the sheets, which are revealed in Titles Of Parts
. This information might be useful in the next stages of the analysis. The names of these sheets look a bit suspicious, so it's worth going back to it.
Once I have identified the file and I know that it is an Excel document, I can analyze the contents of the file. I will use the XLMMacroDeobfuscator tool [6]. You can use XLMMacroDeobfuscator to decode macros in XLM files, also known as Excel 4.0 macros. The tool supports .xls
, .xlsm
, and .xlsb
formats. For the analysis, I'll use the following command:
xlmdeobfuscator -f NK-1545671800.xlsb
The output is shown in Figure 2.
An alternative to the XLMMacroDeobfuscator tool is zipdump.py
[7]. Use the -s
switch to specify an index and the -d
switch for a raw dump. Extract the file at index 3 from the .pptx
file to STDOUT.
I'll follow zipdump.py
with a string command that encodes the data; the l
option means 16-bit little endian:
zipdump.py eqlauo-lsneeqtutninnui-o.zip -s 6 -d | strings --encoding=l
The results of this command are shown in Figure 3.
Enabling macros in an Excel document would result in running an XLM macro (Excel 4.0). The dangerous macro is triggered by the auto_open
event, which refers to one of the hidden sheets containing the malicious code. Sheets can be seen during the analysis using ExifTool tool (see Listing 2): Sheet
, CCwdbuk1
, Sssssbvr1
, Sssssbvr2
, GERGEGSFWG
, Vuk1
, Vuk2
, Vuk3
, Vuk4
, Vuk5
, Vuk6
, and Vuk7
. The analysis with XLMMacroDeobfuscator reveals that, by calling the function Kernel32.CreateDirectoryA("C:\Rimta")
, the Rimta
folder is created on the C:
drive, to which three files named uxx1.ocx
, uxx2.ocx
, and uxx3.ocx
are copied using the URLDownloadToFileA()
function. The analysis also reveals some of the indicators for this attack, including links where the malicious .ocx
files will be downloaded: elmamamobil[.]com
, irrigakit.com[.]br
, lms.chavest[.]com
.
Conclusion
Most experienced users today are aware that it is better not to click on a file if you don't know what it is. However, the tools that will help you determine what it is are less widely known. This article described some of the tools investigators use to probe the contents of a file without clicking on it. Nowadays, such skills are very useful.
Infos
- sha256sum: https://www.gnu.org/software/coreutils/sha256sum
- VirusTotal: https://virustotal.com
- file: https://darwinsys.com/file/
- TrID: https://mark0.net/soft-trid-e.html
- ExifTool: https://exiftool.org/
- XLMMacroDeobfuscator: https://github.com/DissectMalware/XLMMacroDeobfuscator
- zipdump.py: https://github.com/DidierStevens/DidierStevensSuite/blob/master/zipdump.py
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.