Most people these days have one of those burner email addresses – used for product sign-ups, etc.. I certainly do and that account receives its fair share of phishing emails. It is certainly not something new but lately I have been receiving more and more Microsoft Word documents attached to the phishing emails.
In this blog post, I will demonstrate one method in which a person can analyze malicious word documents to see what an attacker might be attempting to get their target to do. If you attempt to replicate this process, please exercise caution. And above all, never open a document from a source you don’t trust.
Here are a couple of example emails I have received:
As you can see in the images above, one email contains an “Account Statement” document and another email contains an “Update Account” document. These phishing emails are trying to create a sense of urgency to trick the receiver into downloading and opening the Word documents.
Dissecting the files:
The first step in examining a potentially malicious word document is dissecting the file. A commonly used tool for analyzing MS Office documents is Oletools:
- Oletools – https://github.com/decalage2/oletools
- Created by Didier Steven
- Based on Python
Utilizing the olevba.py script we can determine if these documents contain any VBA scripts (attackers tend to smuggle malicious code in this manner):
It appears that no VBA macros were discovered within these documents.
After searching for VBA macros, we can move onto performing ZIP extraction of the document. Word documents are essentially a ZIP archive. Utilizing command line tools, we can extract the contents to view the underlying file structure. This will allow us to view relationship files to see if any malicious links have been inserted into the document.
One file to look at closely within MS Word documents is the “document.xml.rels”. document.xml.rels is an XML file that will map out relationships within the DOCX file. The relationships could include various settings, footnotes, comments, web links, etc. Viewing the file, we can see that the document.xml.rels file contains a web link within the XML file, as shown in the screenshot below.
The URL within the document.xml.rels is URL encoded as shown below:
URL decoding the link shown below:
It appears the attacker is utilizing the Tumblr platform to redirect the victim out to a malicious domain (iloveyoudhea[.]info).
Recap:
This post was intended to give people a quick reference on dissecting a simple Word document. I don’t plan to visit the embedded URLs anytime soon, and recommend that you steer clear as well. As always – if you do not know the sender, trust the document, or know the URL – do not click or open the files or URLs. I’ll keep watching for other documents that might contain a malicious VBA script that we could dissect in another post.