Update

It took only a few minutes for @0xkyle to point me to Halogen project. Nice one!

Old post

This is a little trick that you may find handy for clustering malicious documents. I am pretty sure many people use it, and I am too lazy to google it, so here is your potential infosec dose of redundancy 🙂

Most of macromaldocs come with a picture attached to it. The one I received today is this:

You can write a signature for similar docs by focusing not on macros, metadata, etc. but the actual picture. They usually come in as either PNG or JPEG, and often carry additional metadata that is often visible in plain text – and most importantly, they are pretty clearly identifiable inside the malicious document’s body (OLE docs, and inside the Office ZIP archives).

The easiest to find them is look for PNG (‘PNG’) and JPEG (\xFF\xFD) headers or look for references to Adobe inside XML snippets that are often accompanying them.

How do you create a sig for it?

Let’s show what we are after first. Choose some random place like 50-75% length of the file and fill it in with zeroes. Now open it in the image viewer and you should see something like this:

The only reason why I do it here is to demonstrate which data you are overwriting. It’s clear the image data is not properly rendered since I have corrupted it. It’s a good spot.

All you have to do now is write yara using a few bytes you extracted from that exact spot:

rule pic
 {
 strings:
      $ = { AE 31 5A F4 2D 1A 4F 8B A6 48 B5 6C 01 6A 99 02 }
 condition:
      any of them
 }

I ran it on a few samples I received recently, and despite them being scrambled and randomized they got picked up all the time.

It obviously won’t work all the time, but if you have a larger corpora of macro samples you can play around with and also automate the yara sig creation.