FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • Malicious Document Analysis - HTB
    • Introduction
    • PDF Analysis
    • Office Files Analysis
    • Excel Macro Analysis
    • RTF Documents Analysis
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
Powered by GitBook
On this page
  • What is a Malicious Document?
  • How a Document Executes Code?
  • Real World Case studies
  • Malicious Office Document (APT36)
  • Malicious CHM File (TAG-74)
  • Malicious RTF File (LokiBot)
  1. Malicious Document Analysis - HTB

Introduction

PreviousMalicious Document Analysis - HTBNextPDF Analysis

Last updated 2 days ago

What is a Malicious Document?

A malicious document is a seemingly normal file, such as a Word document, PDF, Excel spreadsheet, or any other type of file, that does not typically execute code by default but has been weaponized with harmful code. When this type of document is opened, the embedded malicious code is executed, potentially leading to various harmful outcomes, such as stealing data, compromising system security, or gaining unauthorized access to a network.

How a Document Executes Code?

When a malicious document is opened, it typically leverages various methods to run its embedded malicious code. The process usually begins when a user opens a malicious document, often delivered via email or downloaded from a compromised website.

STEP 1 - Initial Document Opening

  • User Interaction: The first step is usually the user interaction. The user opens the malicious document, often delivered via email or downloaded from a compromised website. Common malicious document types include Microsoft Office files that can contain macros (e.g., .docm, .xlsm and .pptm), PDF files, or other format such as RTF (Rich Text Format) that support embedded scripts.

STEP 2 - Exploitation of Embedded Code

  • Macros/VBA Scripts (Office Documents): In Microsoft Office documents, malicious macros (written in Visual Basic for Applications, VBA) or embedded scripts can be automatically executed if macros are enabled. Attackers often employ social engineering techniques to trick users into enabling macros, such as by saying, "Please enable macros to view the content correctly".

  • Embedded Objects: The document may contain embedded objects, such as OLE (Object Linking and Embedding) objects, that can execute code when interacted with.

  • JavaScript (PDF Files): In PDF documents, JavaScript can be embedded and automatically executed when the document is opened, leading to the execution of malicious code.

STEP 3 - Shellcode or Exploit Execution

  • Shellcode Injection: The embedded script may inject shellcode directly into the current process's memory or another process's memory, effectively bypassing some security mechanisms.

  • Exploitation of Vulnerabilities: The document may exploit a known vulnerability in the application used to open it (e.g., a buffer overflow in Adobe Reader) to gain control over the execution flow and run arbitrary code.

STEP 4 - Dropping and Executing Payload

  • Payload Download: The script may download additional malware from a remote server, often using HTTP, HTTPS, or DNS communication.

  • Payload Execution: The document may drop an executable file on the disk or load the payload directly into memory. This payload could be a backdoor, ransomware, keylogger, or another type of malware.

  • Process Injection: The malicious document may inject its payload into a legitimate process to evade detection and run with the privileges of that process (e.g., explorer.exe).

STEP 5 - Establishing Persistence

  • Persistence Mechanisms: The malware may establish persistence on the victim’s machine by modifying the registry, creating scheduled tasks, or placing files in startup directories.

  • Command and Control (C2) Communication: The malware often communicates with a remote C2 server to receive further instructions, exfiltrate data, or download additional components.

STEP 6 - Execution and Lateral Movement

  • Execution of Malicious Activities: Once the payload is executed, it carries out its intended malicious activities, such as data exfiltration, file encryption, or spying on the user.

  • Lateral Movement: If the malware aims to move laterally within a network, it may leverage credentials obtained from the infected system to access other machines.

The diagram shown below provides an overview of the different documents and tools used to examine them:

Real World Case studies

Several adversary groups leverage malicious document attachments in phishing emails as a common attack vector. These documents, often crafted to appear legitimate, contain embedded scripts, macros, or exploits that execute malware upon opening.

Malicious Office Document (APT36)

APT36 (or Transparent Tribe) is a threat group (that has been active since at least 2013) which is known to leverage spearphishing with malicious Office document attachments for initial compromise. Here's an example of a procedure where APT36 used Office documents with macros for initial access.

Malicious CHM File (TAG-74)

Recorded Future's Insikt Group, which is tracking the activity under the alias TAG-74, said it is a state-sponsored adversary and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.". Their tactics, techniques, and procedures (TTPs) include the use of malicious .chm files that trigger a DLL search order hijacking execution chain to gain access to the victim.

Malicious RTF File (LokiBot)

First reported in 2015, LokiBot is a well-known information-stealing malware often distributed through spam campaigns that target various sectors, including finance, technology, and government. It is classified as a credential harvester, infostealer, and remote access trojan (RAT). It employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

These threat groups demonstrate how effective malicious document attachments can be in phishing campaigns. Each of these examples highlights different document types—Office documents, CHM files, and RTF files—as effective tools in phishing campaigns for cyber espionage and financial theft. By leveraging these document formats, threat actors can exploit user trust and gain initial access to targeted systems.