thallum oledump

Analyze hwp OLE with oledump

Introduction

oledump.py is a tool for analyzing OLE files, with which we can extract and analyze Macro codes and objects.

This article will introduce the process of extracting the compressed objects from the hwp document by writing a decoder plugin of oledump.

Starting

Md5: 3fb0cfe3cc84fc9bb54c894e05ebbb92, Thallum Group’s sample.
The version of oledump: V0_0_59 .

The sample file is hwp document. First of all, check if there exist the objects with olddump. The second item “BinData/BIN0001.” represents an data stream.

> py oledump.py 3fb0cfe3cc84fc9bb54c894e05ebbb92
1: 497 '\x05HwpSummaryInformation'
2: 843 'BinData/BIN0001.OLE'
3: 20272 'BodyText/Section0'
4: 835 'DocInfo'
5: 524 'DocOptions/_LinkDoc'
6: 256 'FileHeader'
7: 2742 'PrvImage'
8: 2046 'PrvText'
9: 136 'Scripts/DefaultJScript'
10: 13 'Scripts/JScriptVersion'

Now, View the dump data of “BIN0001.OLE”with parameters “-s”,“-d”and no valid VBS code data in plaintext is found in the output.

> py oledump.py -s 2 3fb0cfe3cc84fc9bb54c894e05ebbb92 -d

clip_image001

We guess the data is compressed and try again with “–decompress” parameter, the description of which is:

--decompress, Search for compressed data in the stream and decompress it

Try with the following command line, and again no data in plaintext found. Thus the data stream of hwp OLE cannot be viewed with the oledump of this version. Let’s try out some other ways!

> py oledump.py -s 2 3fb0cfe3cc84fc9bb54c894e05ebbb92 -d --decompress

Let’s try with Swiss army knife – CyberChef now. Use “inflate”of CyberChef to decompress the data(choose the tool “Raw Inflate”without zlib header), and this time the vbs script in plaintext shows up.

Another practical case: Extract encrypted strings of Sunburst with CyberChef.

clip_image002

What to be done next is: how to combine oledump with Raw Inflate?
We find there is “–decoders”in the parameter list of oledump:

--decoders=[value],[value] is the python script to decrypt the data stream.

There are several ready-made decoder scripts in the tool catalog, for example:

decoder_xor1.py
decoder_chr.py
decoder_rol1.py

Refer to the decoder scripts above, We can write a inflate script to decompress the hwp OLE data. See the inflate script “decoder_inflate.py” at the end of the article. And the final command line:

> py oledump.py -s 2 3fb0cfe3cc84fc9bb54c894e05ebbb92 -d --decoders=decoder_inflate.py

analyze hwp ole with oledump

In the above results we can see 3 important information:

1. The file path of the malware author:
F:\Sheet\_Build_Virus\1101\Hancom.Configuration.VBS.

2. The local path of the malicious VBS released:
C:\Users\Admin\AppData\Local\Temp\Hancom.Configuration.VBS.

3.The url of the VBS Downloader:
hxxp://xeoskin.co.kr/wp/wp-includes/SimplePie/Net/cross.php?op=1

oledump decoder: decoder_inflate.py

Attention:If the raw data is compressed with complete zlib and with data header, “–decoderoptions=header”need to be added as parameter when using this script.

#!/usr/bin/env python

 
__description__ = 'HWP OLE Decompress For oledump.py'
__author__ = 'maldefense.com'
__version__ = '0.0.1'
__date__ = '2021'
 
"""
 
Source code put in network by MalDefense.com, NO COPYRIGHT
 
"""
import zlib
 
class raw_inflate(cDecoderParent):
    name = 'inflate decompress'
 
    def __init__(self, stream, options):
        self.stream = stream
        self.options = options
        self.done = False
        self.wbits = -15 # without header
        if self.options == 'header':
            self.wbits = 31 # with header
    def Available(self):
        return self.done
 
    def Decode(self):
        decoded = zlib.decompress(self.stream, self.wbits)
        self.done = True
        return decoded
 
    def Name(self):
        return self.name
 
AddDecoder(raw_inflate)