In a preceding article, we conducted a study on a malicious email and noted that code could be executed when attachments were opened. Today we will focus on these malicious codes that are executed. We will come to understand what they are doing and what techniques are used to complicate the work of analysts and to bypass protections.

Before beginning, let’s do a quick review of certain keywords:

  • A downloader is a file that downloads and executes malware.
  • A dropper is a file that directly embeds the malware in its code by concealing it to avoid detection. It will drop the malware onto the computer and then execute it.
  • A macro, in Office documents (Word, Excel, PowerPoint, etc.) is a set of commands and instructions that will be executed when it is opened.

Today, attackers often use the same attack vectors for downloaders and droppers, namely, macros in Office documents and JavaScript code in PDF files. An analyst or program can detect this code, extract it and analyze it to understand how it works and quickly block the threat. As a result, attackers are forced to use techniques to delay detection of their malicious files for as long as possible; obfuscation of code is one of the most used methods and this is what we are going to see today.

What is code obfuscation and what can it be used for?

Obfuscation, in computing, consists of rendering an executable program or source code unreadable and hard to understand by a human, while maintaining its functioning. The objective is to bypass static code analyzers as much as possible as well as wasting time for the analysts who will study the code. Obfuscation of character strings is one of the techniques most used by malware creators. This method consists of concealing, or rendering incomprehensible, character strings using an algorithm that will decode the data when the code executes. This article mainly focuses on this obfuscation technique through downloaders.

We will study two examples of code found in downloaders in recent months. First off, we will begin with a simple example to understand how obfuscation works and why it is of interest. Then we will study a more complicated case, since simplicity in malware analysis is rare and when it happens we have to take full advantage of it. Here is a perfect example to start with!

Obfuscation is not that obfuscated

 

File TypeSHA1VirusTotalVirusBay
PDF39809b0836b3198e472e9e5a4f15f5e75ab49265

Lien

Lien

 

Without further ado, let’s get into the heart of the matter and look at this little bit of nasty code that comes from the malicious PDF file above.

From a general point of view, it is difficult to understand what this code does, although line 1 gives us a very big clue with a URL that points to an EXE file. When I analyze malicious code, my first step consists of making it as readable as possi