# Analysis of MS Word to drop Remcos RAT

**muha2xmad.github.io/mal-document/remcosdoc/**

### Muhammad Hasan Ali

Malware Analysis learner


May 5, 2022


-----

4 minute read

**As-salamu Alaykum**

## Introduction

Remcos RATs are delivered by phishing campaigns in form of Excel file and Word file, our
sample is word file. Which tries to trick the user to click `Enable content which will load the`
[Macro code and then load the next stage. We start our analysis using REMnux. Download](https://remnux.org/)
[the sample from MalwareBazaar](https://bazaar.abuse.ch/sample/3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc/)

## About MS word

We will talk about basic structure of Word file. Microsoft suite comes in two two structures.
Before `2007, Microsoft used` `structured storage fromat in binary format which is`
old format `.doc,` `.xls,` `.ppt such as from Word 97 (released in 1997) through Microsoft`
Office 2003. After 2007, Microsoft used `office open XML format in Zip archive containing`
XML `.docx . For more info see` [here](https://docs.fileformat.com/word-processing/doc/)

## Metadata

using exiftool to extract metadata about the sample which we are analyzing and get more
information about it such as `filesize,` `filetype,` `Language Code,` `Comp Obj User`
```
Type which shows the eddition of used Microsoft word, and Template . If there is
Normal.dotm which is an indicator of Macro inside the Doc file.

```

-----

```
File Name            :
3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc
Directory            : .
File Size            : 60 KiB
File Modification Date/Time   : 2022:05:05 05:54:50-04:00
File Access Date/Time      : 2022:05:05 02:14:10-04:00
File Inode Change Date/Time   : 2022:05:05 01:55:39-04:00
File Permissions        : rw-r--r-File Type            : DOC
File Type Extension       : doc
MIME Type            : application/msword
Identification         : Word 8.0
Language Code          : English (US)
Doc Flags            : Has picture, 1Table, ExtChar
System             : Windows
Word 97             : No
Title              : 
Subject             : 
Author             : 
Keywords            : 
Comments            : 
Template            : Normal.dotm
Last Modified By        : 
Software            : Microsoft Office Word
Create Date           : 2022:04:20 02:06:00
Modify Date           : 2022:04:20 02:06:00
Security            : None
Code Page            : Windows Latin 1 (Western European)
Char Count With Spaces     : 1
App Version           : 16.0000
Scale Crop           : No
Links Up To Date        : No
Shared Doc           : No
Hyperlinks Changed       : No
Title Of Parts         : 
Heading Pairs          : Title, 1
Comp Obj User Type Len     : 32
Comp Obj User Type       : Microsoft Word 97-2003 Document
Last Printed          : 0000:00:00 00:00:00
Revision Number         : 1
Total Edit Time         : 0
Words              : 0
Characters           : 1
Pages              : 1
Paragraphs           : 1
Lines              : 1

## VBA extraction and analysis

```
Then we try to see if the Doc file has a Macros using `oleid . If` `VBA Macros is set to`
```
True as we see in next figure, then yes it has Macros and the Macro is not encrypted.

```

-----

Figure(1): oleid output

Then we extract the We Then use `oledump.py to see the content of the Doc file. The`
number on the left called `stream number and` `M indicated that there is Macro and code.`

Figure(2): oledump.py output

We use `olevba to extract Macros from the Doc file and analyze the` `VBA code. After`
extraction open the file in `VSCode . We can use` `oledump.py to do this as well, but`
```
olevba summerize the important info for us.
olevba 3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc
> vbacode.vba

```
The most important is the table which summerize the VBA code and extracts the important
code such as `IoCs and suspicious functions such as` `AutoOpen() .`


-----

Figure(3): Extraction of the VBA code

But this is not enough. We will try to extract much info about the Doc by using `oledump.py`
and extract the content of all the streams but if you want to short your time extract only the
streams `9 and` `10 .`
```
oledump.py
3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc -s 9 >
stream_9.vba
oledump.py
3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc -s 10 >
stream_10.vba

```
Take your time to analyze the `ASCII to extract more info from the next two figures. In this`
figure, stream 9 IoCs which enables the Doc to launch the VBA code.


-----

```
C:\Program files\Common files\Microsoft shared\VBA\VBA7.1\VBE7.dll
C:\Windows\System32\stdole2.tlb
C:\Program files\Microsoft Office\root\Office1.6\MSWORD
ObjectLibrary
C:\Program files\Common files\Microsoft shared\OFFICE16\MSO.DLL
autoOpen
CreateObject
InstallProduct

```
Figure(4): Analysis of the VBA code of stream 9

And in stream `10 which has less IoCs than stream` `9 .`
```
C:.\Windows.\System32\e2tlb
C:\Program files\Common files\Microsoft shared\OFFICE1.6\MSO.DLL

```

-----

Figure(5): Analysis of the VBA code of stream 10

For more info you can use `lazy office analyzer tool in Windows or open the malicious`
word and see the Macro inside the Microsoft word application. I tried to use it but in this
sample gives no info.

## IoCs

**No.** **Description** **Hash and URLs**

1 The Mal DOC file (MD5 ) 090e1dfdcbf2185788ea14cd113cc39f

3 URL https://filebin.net/rf43v6qzghbj7h7b/TRY.msi

## Article quote

ﻣﻦ ﯾﺤﻤﻞ ﻗﻨﺪﯾﻠﻪ ﻓﻲ ﺻﺪره ﻻ ﯾُﻌﻨﯿﻪ ﻇﻼم اﻟﻌﺎﻟﻤﯿﻦ


-----