This time we are releasing analysis of a malicious OLE document. This Malware exploits vulnerability in MS Word 2003. CVE-2006-6456
The malware sample for analysis is available at Mila’s blog (Greets Mila :)
When we analyze with Offviz we see that there in invalid value for sprm.sgc
When we parse the document with OfficeMalScanner from http://www.reconstructer.org/code.html we find embedded OLE file at offset 0xdc00 and embedded executable at 0x4c00 encoded with XOR key 0x95
We remove the malicious executable and the OLE file from the exploits file. Now we are left with the exploit file along with shellcode. We analyze the remaining (clean.doc) exploit file in Hex Workshop we find another XOR’ed section encoded with same key 0x95. This might be the encoded shellcode.
So we extract this section and convert it into exe from http://sandsprite.com/shellcode_2_exe.php to analyze it in debugger. Here we see the shellcode IS actually XOR’ed with 0x95 key
We Decode the shellcode and analyze in HEX again. We see that shellcode writes the exe to disk as SUCHOST.EXE.
So now we got the location of shellcode also. Here we can remove the shellcode of malware and replace it with our shellcode.
The original malware, extracted executable, extracted OLE document, shellcode, decoded shellcode and a reconstructed POC file which calc.exe can be downloaded from::: http://www.mediafire.com/download.php?u55xgb1jpasp8na
There are 2 POC files one executes CMD.exe and other one executed CLAC.exe. Tested on XP SP 2 Office 2003.....
Greetz:: Mila, Villy, Puneet Jain, WEBDevil, ASL IT Sec Team