Quick malware analysis with Linux tools
Peek Inside
Forensic experts can't just delete a sketchy file – sometimes the challenge is to see what is in it without triggering an attack. Learn about some of the tools investigators use for analyzing suspicious files.
The number of online threats increases every year. Phishing attacks, for example, are growing more sophisticated and are often prepared in such a way that it is very difficult to distinguish a malicious message from a legitimate one. Analysts are often challenged with determining whether a file, such as a file sent to an email address, is malicious or not. If the file does turn out to be malicious, the next questions are what are the contents and what task is it supposed to perform?
When it comes to analyzing potentially malicious files, distributions that are adapted to malware analysis come in handy. The REMnux forensic toolkit and SIFT Workstation, for instance, are examples of toolkits designed for digital forensics tasks.
What Is It?
I'll show you an example of how an investigator might analyze a potential malware file. The Qbot malware is often used to attack user mailboxes. Qbot, which is also known as Qakbot, is a banking Trojan that has been around for over a decade. The first version was found in 2007. Since then, it has been constantly maintained and developed.
The Qbot campaign I will analyze for this article was sent in 2021 and delivered in three versions: via a link, an attachment, and a graphic element displaying a malicious URL in the message. After clicking on the malicious link, the user is redirected to the page with the malicious archive. The archive contains a malicious Excel (.xlsb
) file.
In this case, the archive has the filename eqlauo-lsneeqtutninnui-o.zip
.
The best way to start the file identification is with the sha254sum
command [1]; the command checks the checksum of the file. Malware transforms into new versions very quickly and efficiently, and the way it is delivered can vary. With each download, even from the same URL, you might receive a file with a different checksum, which makes signature-based detection difficult. However, it is worth trying a checksum just in case. Having the checksum will also help you organize the analysis and create a report. The file signature will allow you to check the file on the VirusTotal platform [2]:
sha256sum eqlauo-lsneeqtutninnui-o.zip 3D1386A83BCAA67760B861C106FE44B8A141D9872D49C879A59EA10594EBF0FDeqlauo-lsneeqtutninnui-o.zip
When you unpack the archive, you will get a file named NK-1545671800.xlsb
(Figure 1), which you can also get a checksum for using sha256sum
:
sha256sum NK-1545671800.xlsb 9eaca5539a69a0de18e26aa81044eef3fa151a0caae5fa58f08b23af79fd7801NK-1545671800.xlsb
The file
command [3] and TrID [4] will come in handy when identifying a file. TrID identifies file types based on their signatures. You will get the results in percentages ordered from most likely to least likely (Listing 1). This is very helpful because the selections that TrID gives you are sometimes more accurate than those offered by other signature-based tools.
Listing 1
TriD Analysis
trid NK-1545671800.xlsb TrID/32 - File Identifier v2.24 - (C) 2003-16 By M.Pontello Definitions found: 13923 Analyzing... Collecting data from file: NK-1545671800.xlsb 62.2% (.XLSB) Excel Binary workbook (93021/2/14) 22.7% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 11.7% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.6% (.ZIP) ZIP compressed archive (4000/1) 0.6% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
The file
command helps determine the file type. The command ignores the file extension and instead runs a series of tests to identify the file:
file NK-1545671800.xlsb NK-1545671800.xlsb: Microsoft Excel 2007+
Listing 1 tells us that the file is most likely an .xlsb
file, which is an Excel Binary Spreadsheet, so I turn my attention to another tool called ExifTool [5]. The ExifTool utility is a Perl framework written by Phil Harvey that was originally designed to extract the Exif content from image files. You can use ExifTool to view metadata from both photos and .xlsb
files (Listing 2).
Listing 2
Viewing Data with ExifTool
exiftool NK-1545671800.xlsb ExifTool Version Number : 12.16 File Name : NK-1545671800.xlsb Directory : . File Size : 124 KiB File Modification Date/Time : 2022:01:25 02:58:56-05:00 File Access Date/Time : 2022:02:22 08:33:10-05:00 File Inode Change Date/Time : 2022:02:07 09:17:53-05:00 File Permissions : rw-r--r-- File Type : XLSB File Type Extension : xlsb MIME Type : application/vnd.ms-excel.sheet.binary.macroEnabled Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x322badb4 Zip Compressed Size : 596 Zip Uncompressed Size : 3778 Zip File Name : [Content_Types].xml Creator : Admin Last Modified By : Admin Create Date : 2015:06:05 18:19:34Z Modify Date : 2022:01:25 07:50:09Z Application : Microsoft Excel Doc Security : None Scale Crop : No Heading Pairs : ?????, 4, ??????? Excel 4.0, 8 Titles Of Parts : Sheet, CCwdbuk1, Sssssbvr1, Sssssbvr2, GERGEGSFWG, Vuk1, Vuk2, Vuk3, Vuk4, Vuk5, Vuk6, Vuk7 Company : Links Up To Date : No Shared Doc : No Hyperlinks Changed : No App Version : 16.0300
In Listing 2, one of the more interesting results is the names of the sheets, which are revealed in Titles Of Parts
. This information might be useful in the next stages of the analysis. The names of these sheets look a bit suspicious, so it's worth going back to it.
Once I have identified the file and I know that it is an Excel document, I can analyze the contents of the file. I will use the XLMMacroDeobfuscator tool [6]. You can use XLMMacroDeobfuscator to decode macros in XLM files, also known as Excel 4.0 macros. The tool supports .xls
, .xlsm
, and .xlsb
formats. For the analysis, I'll use the following command:
xlmdeobfuscator -f NK-1545671800.xlsb
The output is shown in Figure 2.
An alternative to the XLMMacroDeobfuscator tool is zipdump.py
[7]. Use the -s
switch to specify an index and the -d
switch for a raw dump. Extract the file at index 3 from the .pptx
file to STDOUT.
I'll follow zipdump.py
with a string command that encodes the data; the l
option means 16-bit little endian:
zipdump.py eqlauo-lsneeqtutninnui-o.zip -s 6 -d | strings --encoding=l
The results of this command are shown in Figure 3.
Enabling macros in an Excel document would result in running an XLM macro (Excel 4.0). The dangerous macro is triggered by the auto_open
event, which refers to one of the hidden sheets containing the malicious code. Sheets can be seen during the analysis using ExifTool tool (see Listing 2): Sheet
, CCwdbuk1
, Sssssbvr1
, Sssssbvr2
, GERGEGSFWG
, Vuk1
, Vuk2
, Vuk3
, Vuk4
, Vuk5
, Vuk6
, and Vuk7
. The analysis with XLMMacroDeobfuscator reveals that, by calling the function Kernel32.CreateDirectoryA("C:\Rimta")
, the Rimta
folder is created on the C:
drive, to which three files named uxx1.ocx
, uxx2.ocx
, and uxx3.ocx
are copied using the URLDownloadToFileA()
function. The analysis also reveals some of the indicators for this attack, including links where the malicious .ocx
files will be downloaded: elmamamobil[.]com
, irrigakit.com[.]br
, lms.chavest[.]com
.
Conclusion
Most experienced users today are aware that it is better not to click on a file if you don't know what it is. However, the tools that will help you determine what it is are less widely known. This article described some of the tools investigators use to probe the contents of a file without clicking on it. Nowadays, such skills are very useful.
Infos
- sha256sum: https://www.gnu.org/software/coreutils/sha256sum
- VirusTotal: https://virustotal.com
- file: https://darwinsys.com/file/
- TrID: https://mark0.net/soft-trid-e.html
- ExifTool: https://exiftool.org/
- XLMMacroDeobfuscator: https://github.com/DissectMalware/XLMMacroDeobfuscator
- zipdump.py: https://github.com/DidierStevens/DidierStevensSuite/blob/master/zipdump.py
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.