UJP - 技術情報1

Life is fun and easy!

不正IP報告数

Okan Sensor
 
メイン
ログイン
ブログ カテゴリ一覧

oletools on macOS Mojave

oletools on macOS Mojave


更新履歴

  • 2021.02.16

はじめに

  • このドキュメントでは,Microsoft Office文書ファイルを分析する,oletoolsをインストールして,マルウェアを入りのExcelマクロファイルを分析してみる.
  • なお,oletoolsはPythonで作られているので,Python環境とpipが準備されている必要がある.

パッケージのインストール

  • pipを使ってインストール.

$ pip install oletools🆑
Collecting oletools
  Downloading oletools-0.56.zip (3.1 MB)
     |████████████████████████████████| 3.1 MB 313 kB/s
Collecting pyparsing<3,>=2.1.0
  Downloading pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
     |████████████████████████████████| 67 kB 3.3 MB/s
Collecting olefile>=0.46
  Downloading olefile-0.46.zip (112 kB)
     |████████████████████████████████| 112 kB 2.2 MB/s
Collecting easygui
  Downloading easygui-0.98.2-py2.py3-none-any.whl (92 kB)
     |████████████████████████████████| 92 kB 2.5 MB/s
Collecting colorclass
  Downloading colorclass-2.2.0.tar.gz (17 kB)
Collecting msoffcrypto-tool
  Downloading msoffcrypto-tool-4.11.0.tar.gz (211 kB)
     |████████████████████████████████| 211 kB 2.8 MB/s
Collecting pcodedmp>=1.2.5
  Downloading pcodedmp-1.2.6-py2.py3-none-any.whl (30 kB)
Requirement already satisfied: cryptography>=2.3 in /usr/local/lib/python3.9/site-packages (from msoffcrypto-tool->oletools) (3.3.1)
Requirement already satisfied: cffi>=1.12 in /usr/local/lib/python3.9/site-packages (from cryptography>=2.3->msoffcrypto-tool->oletools) (1.14.4)
Requirement already satisfied: six>=1.4.1 in /usr/local/lib/python3.9/site-packages (from cryptography>=2.3->msoffcrypto-tool->oletools) (1.14.0)
Requirement already satisfied: pycparser in /usr/local/lib/python3.9/site-packages (from cffi>=1.12->cryptography>=2.3->msoffcrypto-tool->oletools) (2.20)
Building wheels for collected packages: oletools, olefile, colorclass, msoffcrypto-tool
  Building wheel for oletools (setup.py) ... done
  Created wheel for oletools: filename=oletools-0.56-py3-none-any.whl size=933616 sha256=7b36d008a9b33c2f04d1c502e06515be0a7bae25978ca90e5ce22d2626382dce
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/05/bb/26/15b0a068fde1216b8fb73f0ee57ce8da02c618c5cd6d3a5f9d
  Building wheel for olefile (setup.py) ... done
  Created wheel for olefile: filename=olefile-0.46-py2.py3-none-any.whl size=35416 sha256=22ddebb1e3d17a0be6f140fe77f825adddeffcc9c6ff4c32e812d6c394beac10
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/64/b8/ba/ebba30390fbd997074f35e42a842ce3fd933213cac8753414e
  Building wheel for colorclass (setup.py) ... done
  Created wheel for colorclass: filename=colorclass-2.2.0-py3-none-any.whl size=19394 sha256=2241ba0123d957730b295607537a810c64c245dd8ea65546ed91c8c873fbab2e
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/45/8b/b9/04de9e894d23f2a3a560c21df5dd2088d58e0f651ec58ec348
  Building wheel for msoffcrypto-tool (setup.py) ... done
  Created wheel for msoffcrypto-tool: filename=msoffcrypto_tool-4.11.0-py3-none-any.whl size=32335 sha256=7beb576337ea39d9377ac95d6a7166a9b0d844cc5eec65c09e28e0c194482786
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/0e/c0/c9/a10689bd268b5a65d03d84765b332e94e102de9a56c29b6d8f
Successfully built oletools olefile colorclass msoffcrypto-tool
Installing collected packages: olefile, pyparsing, pcodedmp, msoffcrypto-tool, easygui, colorclass, oletools
Successfully installed colorclass-2.2.0 easygui-0.98.2 msoffcrypto-tool-4.11.0 olefile-0.46 oletools-0.56 pcodedmp-1.2.6 pyparsing-2.4.7
[macmini2014:ujpadmin 13:41:39 ~ ]
$

  • パケージのインストールパスを確認.


$ which olevba3🆑
/usr/local/bin/olevba3
[macmini2014:ujpadmin 13:44:13 ~ ]
$ ls -lat /usr/local/bin/|head -n 20🆑
total 1036
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 rtfobj
drwxrwxr-x 636 ujpadmin admin 20352  2 16 13:41 .
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 pyxswf
-rwxr-xr-x   1 ujpadmin admin   238  2 16 13:41 olevba3🈁
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 olevba
-rwxr-xr-x   1 ujpadmin admin   239  2 16 13:41 oletimes
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 oleobj
-rwxr-xr-x   1 ujpadmin admin   238  2 16 13:41 olemeta
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 olemap
-rwxr-xr-x   1 ujpadmin admin   236  2 16 13:41 oleid
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 olefile
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 oledir
-rwxr-xr-x   1 ujpadmin admin   240  2 16 13:41 olebrowse
-rwxr-xr-x   1 ujpadmin admin   237  2 16 13:41 msodde
-rwxr-xr-x   1 ujpadmin admin   239  2 16 13:41 mraptor3
-rwxr-xr-x   1 ujpadmin admin   238  2 16 13:41 mraptor
-rwxr-xr-x   1 ujpadmin admin   242  2 16 13:41 ezhexviewer
-rwxr-xr-x   1 ujpadmin admin   242  2 16 13:41 msoffcrypto-tool
-rwxr-xr-x   1 ujpadmin admin   239  2 16 13:41 pcodedmp
[macmini2014:ujpadmin 14:26:25 ~ ]
$

  • 完了.

olevba3を使って分析してみる

 まずは,なにもないファイル.


$ olevba3 /Users/ujpadmin/Documents/datafile.xlsx🆑
olevba 0.56 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: /Users/ujpadmin/Documents/datafile.xlsx
Type: OpenXML
No VBA macros found.

[macmini2014:ujpadmin 13:44:42 ~ ]
$

  • No VBAとなった.

VBAの入っているマルウェアを分析してみる

  • 以前,調査した結果マルウェアだったExcelファイルを分析する.

$ olevba3 /Users/ujpadmin/Downloads/マルウェアのファイル.xls🆑
olevba 0.56 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: /Users/ujpadmin/Downloads/マルウェアのファイル.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: /Users/ujpadmin/Downloads/マルウェアのファイルxls - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub WorkBook_open()
On Error Resume Next
CallByName Class5, "Show", VbMethod



End Sub


〜略〜

-------------------------------------------------------------------------------
VBA FORM Variable "b'Label5'" IN '/Users/ujpadmin/Downloads/マルウェアのファイル.xls' - OLE stream: '_VBA_PROJECT_CUR/Class7'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
None
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |WorkBook_open       |Runs when the Excel Workbook is opened       |
|AutoExec  |Label5_Click        |Runs when the file is opened and ActiveX     |
|          |                    |objects trigger events                       |
|Suspicious|Open                |May open a file                              |
|Suspicious|write               |May write to a file (if combined with Open)  |
|Suspicious|Adodb.Stream        |May create a text file                       |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|ExecuteExcel4Macro  |May run an Excel 4 Macro (aka XLM/XLF) from  |
|          |                    |VBA                                          |
|Suspicious|Microsoft.XMLHTTP   |May download files from the Internet         |
|Suspicious|CallByName          |May attempt to obfuscate malicious function  |
|          |                    |calls                                        |
|Suspicious|EXEC                |May run an executable file or a system       |
|          |                    |command using Excel 4 Macros (XLM/XLF)       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |cmd.exe             |Executable file name                         |
|IOC       |wrnglr.exe          |Executable file name                         |
+----------+--------------------+---------------------------------------------+

[macmini2014:ujpadmin 13:46:34 ~ ]
$


  • テキストだけだとわかりづらいのでスクショで.

  • Suspiciousとされた処理と,IOCの記載がありました.

mraptorで解析してみる

$ mraptor マルウェアのファイル.xls🆑
MacroRaptor 0.56 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|AWX  |OLE:|マルウェア.xls
Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS🈁
[macmini2014:ujpadmin 13:46:34 ~ ]
$

  • SUSPICIOUSと出ている.


参考

  • decalage2 /oletools
    • https://github.com/decalage2/oletools/issues



広告スペース
Google