Video: Blitz 45 Seconds OneNote Malware Analysis

The malicious OneNote sample analyzed in this video contains an executable. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected in Cerbero Suite.

SHA256: F408EF3FA89546483BA63F58BE3F27A98795655EB4B9B6217CBE302A5BA9D5F7

OneNote Format Support

Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.

Installing the package from Cerbero Store takes only a few mouse clicks.

Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected

In this image an executable is extracted from the OneNote malware. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected.

The OneNote package can also be used programmatically.

from Pro.Core import *
from Pkg.OneNote.Core import OneNoteObject

def parseOneNoteDocument(fname):
    c = createContainerFromFile(fname)
    if c.isNull():
        return
    obj = OneNoteObject()
    if not obj.Load(c):
        return
    files = obj.GetEmbeddedFiles()
    for file in files:
        print("offset:", hex(file[0]), "size:", hex(file[1]))

Cerbero Suite 6.1 and Cerbero Engine 3.1 are out!

We’re happy to announce the release of Cerbero Suite 6.1 and Cerbero Engine 3.1!

This release contains many improvements to our PDF support.

New JBIG2 Library

Our PDF support has been featuring the capability to decode JBIG2 streams for many years.

JBIG2 is an imperative file format which has been demonstrated can be Turing complete. In fact, one of the most sophisticated exploits has been created exploiting a JBIG2 library in iOS. The exploit mentioned in the article creates over 70,000 segments to create a small virtual machine in logical operations defined by JBIG2.

In a recent release we made our already hardened JBIG2 decoding support even more secure by relegating it to a different process and constraining it to a time threshold.

This release features a completely rewritten JBIG2 library. Not only is it faster than the previous one, but it also has constraints on allocation and processing time by default. Therefore, now the library is being run again in the same process and it’s even faster than before.

For the customers of our engine: it is still possible to use the old JBIG2 library:

pdf.SetJBIG2LibraryVersion(1)

By default version 2 (the new library) is used.

JPEG & JPEG2000 Decoders

We added support for /DCTDecode and /JPXDecode filters in PDFs. These two filters represent JPEG and JPEG2000 respectively. What it means is that we convert images compressed in JPEG to raw data when decoding streams.

The reason for this is that it is possible to encode a JavaScript script using a grayscale JPEG image. It has been done as a proof of concept by Dénes Olivér Óvári and we’ll detail this in the next release of our e-zine.

We want to thank Dénes for his research and for providing us with his proof of concept!

For the customers of our engine: in case you are not interested in supporting these filters, we have introduced a mechanism to individually disable filters:

pdf.EnableFilter(PDFObject.FilterType_DCTDecode, False)
pdf.EnableFilter(PDFObject.FilterType_JPXDecode, False)

PDF SDK Catalog Support

We introduced SDK support for parsing the pages in a PDF:

objtable = obj.GetObjectTable()
# computes the catalog tree
cat = obj.ComputeCatalogTree(objtable)
# flattens the tree into a list
pages = obj.FlattenCatalogTree(cat)
page_count = pages.size()
print("Number of pages:", page_count)
for i in range(page_count):
    print("    Page:", i + 1, "- Object:", obj.ObjectToString(objtable, pages.at(i)))

Sample output:

Number of pages: 12
    Page: 1 - Object: 5.0
    Page: 2 - Object: 71.0
    Page: 3 - Object: 100.0
    Page: 4 - Object: 113.0
    Page: 5 - Object: 132.0
    Page: 6 - Object: 154.0
    Page: 7 - Object: 172.0
    Page: 8 - Object: 210.0
    Page: 9 - Object: 236.0
    Page: 10 - Object: 277.0
    Page: 11 - Object: 286.0
    Page: 12 - Object: 320.0

DIB & GIF Modules Documentation

We have documented the API for parsing DIB and GIF images.

Fast Timer

We have introduced a fast timer in our SDK called NTTimer. This timer is considerably faster than the timing mechanism provided by NTTime.

The way to use it is the same:

t = NTTimer()
t.start()
print("elapsed ms:", t.elapsed()) 

Zip Parsing Bug

We have fixed a potential infinite loop when parsing incorrect NTFS attributes in Zip archives.

We want to thank CJCCPS for having reported the issue!

Cerbero Suite 6 and Cerbero Engine 3 are out!

We’re happy to announce the release of Cerbero Suite 6 and Cerbero Engine 3!

All of our customers can upgrade at a 50% discount their licenses for the next 3 months. We value our customers and everyone who has bought a license in August should have received a free upgrade for Cerbero Suite 6. Everyone who has purchased a license before August, but in the last 3 months, should have received an additional discount. Commercial customers with an active subscription plan should have already received a license for Cerbero Suite 6.

If you’re a customer of Cerbero Suite 5 and didn’t get an email from us, please contact us at sales@cerbero.io.

So what’s new?

Sample Downloader Package

While we published this package on Cerbero Store in August, it was actually planned for the 6.0 release: one of the main reasons for the introduction of Cerbero Store was the ability to offer certain types of updates as soon as they were ready.

Check out the video presentation for a quick introduction to the Sample Downloader package.

Installing the package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.

To download one or multiple malware samples, just enter their hash.

Sample Downloader will try to download the malware samples from all supported intelligence services.

Once the samples have been downloaded, you can directly inspect them in Cerbero Suite.

You can download additional samples using one of the actions added by the package. Additionally, Sample Downloader can also be invoked from the command line.

Improved Search Dialogs

We improved all the search dialogs in Cerbero Suite and we made sure that all of them support regular expressions.

However, the main improvement is that we introduced wrap around search.

We also added text search to our Carbon disassembler and native Ghidra UI.

Java Class & DEX Modules Documentation

We have documented the API for parsing Java Class files and Android DEX files.

Writable Remote Containers

With our multi-processing technology we introduced remote containers. One of the limitations of remote containers was that they were read-only. Now we also support writable remote containers.

Updated Sleigh Decompiler & AppleSilicon Support

We updated the Sleigh decompiler to the one in Ghidra 10.1.15.

While support for AppleSilicon was provided through the generic support for ARM64, we now have added specific support for AppleSilicon in the decompiler.

Improved Office Documents Scan

Following a tweet on Twitter, we made sure that external references in Microsoft Office documents are correctly detected also in .rels files.

We have also improved string support in older XLS documents.

Text Browser View

We have graphically improved our text browser view, the UI control used by our Carbon disassembler, and we have exposed it to Python.

Here’s a code example from the SDK documentation showing how to display custom lines provided from UI notifications and how to handle textual hyper-links:

from Pro.Core import *
from Pro.UI import *

class CustomView:

    @staticmethod
    def callback(cv, self, code, view, data):
        if code == pvnInit:
            t = cv.getView(1)
            t.showCustomLines()
            return 1
        elif code == pvnTextBrowserLineCount:
            vid = view.id()
            if vid == 1:
                data.setCount(100)
        elif code == pvnTextBrowserGetLine:
            vid = view.id()
            if vid == 1:
                b = ProTextBrowserStringBuilder()
                b.setTextColor(0, 0, 180)
                b.append("This is line number ")
                b.setTextColor(180, 0, 0)
                b.append(str(data.id + 1) + " ")
                b.setTextColor(0, 180, 0)
                b.beginHyperLink(1, 0)
                b.append("This is a hyper-link.")
                b.endHyperLink()
                data.setLine(b.buffer)
        elif code == pvnTextBrowserHyperLinkActivated:
            vid = view.id()
            if vid == 1:
                proContext().msgBox(MBIconInfo, "Hyper-link activated!")
        return 0

    def show(self):
        ctx = proContext()
        v = ctx.createView(ProView.Type_Custom, "Text Browser Demo")
        v.setup("<ui><vl margin='0'><textbr id='1'/></vl></ui>", self.callback, self)
        ctx.addView(v)

cv = CustomView()
cv.show()

Exposed ProTheme

We have exposed UI themes to Python, which is going to be useful to plugins which need to query colors for a specific theme.

Introduced ProWebRequest

Our API for web requests was somewhat limited. We have therefore introduced ProWebRequest.

Fixed Bugs

We have fixed a few major bugs and regressions. Specifically we fixed:

  • a wrong Windows Memory Analysis package dependency for Windows crash dump files
  • a regression causing a crash when changing a function prototype in the decompiler
  • a regression resulting in a missing refresh when loading embedded files

We have also made other various improvements and fixed a few minor issues.

What’s Next?

These are some of the things we introduced over the course of the 5.x series:

During the 6.x series we expect to finish the SDK documentation and, even more importantly, introduce many exciting new features.

We expect this series to be more feature-focused, since a considerable amount of the development time of the previous series has been devoted to laying the groundwork for Cerbero Store.

As during the previous series, we’ll release some of the packages on Cerbero Store exclusively to commercial licenses. The current ratio of commercial packages on Cerbero Store is 50%.

We try to limit the amount of commercial packages to those which fulfill a strictly commercial purpose and release more generic packages for all licenses. That having been said, we are planning some extremely useful commercial packages for this series which you don’t want to miss!

Sample Downloader Package

We have just released our Sample Downloader package and it is available for all licenses of Cerbero Suite Advanced.

While this is a simple package, we consider it extremely useful, as it allows to download malware samples by their hash. The package tries to download the requested samples from various supported intelligence services.

Check out the video presentation for a quick introduction!

Installing the Sample Downloader package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.

To download one or multiple malware samples, just enter their hash.

Sample Downloader will try to download the malware samples from all supported intelligence services.

Once the samples have been downloaded, you can directly inspect them in Cerbero Suite.

You can download additional samples using one of the actions added by the package.

Additionally, Sample Downloader can be also invoked from the command line.

Video: Blitz XLS Malware Payload Extraction

The malware sample analyzed in this video uses VBA code to extract a payload contained in Excel spreadsheet cells.

SHA256: F00252AB17546CD922B9BDA75942BEBFED4F6CDA4AE3E02DC390B40599CE1740

The following is the Python code which mimics the VBA extraction code.

from Pro.SiliconSpreadsheet import *
from Pro.UI import proContext

v = proContext().getCurrentAnalysisView()
if v.isValid():
    view = SiliconSpreadsheetWorkspaceView(v)
    ws = view.getSpreadsheetWorkspace()
    sheet = ws.sheetFromName("Final Offer")
    col = SiliconSpreadsheetUtil.colIndex("BS")
    text = ""
    for i in range(100, 701):
        cell = sheet.getCell(col, i)
        if cell.isEmpty():
            continue
        text += cell.value
    print(text[::-1])

Note: the code must be executed while the spreadsheet is open in the analysis view.

AbuseCH Intelligence 2.1 Package

We have just released version 2.1 of our AbuseCH Intelligence package for Cerbero Suite Advanced.

Apart from a few minor improvements, we added a summary view for the vendors supported by MalwareBazaar.

The summary provides an overview of the various vendor reports at a glance.

If you’re not yet familiar with our AbuseCH Intelligence package, you can check out the video presentation to quickly learn about its features.

Suite 5.7 and Engine 2.7 are out!

Here summarized are the main news of this release of Cerbero Suite 5.7 and Cerbero Engine 2.7.

Expanded AbuseCH Intelligence Package

We have released an improved version of the originally named ‘MalwareBazaar Intelligence’ commercial package. We have renamed the package to ‘AbuseCH Intelligence’ and greatly expanded its functionality.

Check out the video presentation to quickly learn about its features.

If you want to learn more about the new features, you can read our dedicated post.

CFBF Module Documentation

We have documented the API for parsing Microsoft legacy Office documents.

The documentation includes examples that show how to enumerate CFBF directories, decrypt documents, extract VBA code and decompile macros.

Augmented JBIG2 Decoding Security

Our PDF support has been featuring the capability to decode JBIG2 streams for many years.

In this release we have made our already hardened JBIG2 decoding support even more secure by relegating it to a different process and constraining it to a time threshold.

JBIG2 is an imperative file format which has been demonstrated can be Turing complete. In fact, one of the most sophisticated exploits has been created exploiting a JBIG2 library in iOS. The exploit mentioned in the article creates over 70,000 segments to create a small virtual machine in logical operations defined by JBIG2.

Our changes perfectly prevent memory exhaustion and stalling issues: if the decoding process doesn’t complete within a given time, the decoding fails and the issue is reported to the user.

Human Hash

We have integrated human hashes in our analysis workspace. When you rest the cursor on the cryptographic hash of the current object, it displays the humanized version of the hash as a tool-tip.

The humanized hash can also be copied to the clipboard from the drop-down menu next to the cryptographic hash edit box.

While a human hash with a uniqueness of 1 in 4 billions defeats the security of cryptographic hashes, it may be useful when comparing hashes at a glance.

Deflate64 Support

We have added support for the proprietary deflate64 decompression method. The decompression is integrated both in our Zip format support and in our filters technology.

New Python APIs

We added a few new APIs to our SDK. The most important addition is the logicProviderArguments method, which can be used by logic providers to retrieve their command line arguments (in case they were invoked from the command line).

This is a small code example of a logic provider init function:

def customLogicProviderInit():
    ctx = proCoreContext()
    args = ctx.logicProviderArguments()
    if not args.isEmpty():
        # has arguments...

Extensions Load Errors

To more easily debug load errors of extensions, we have enabled a debug message which shows only once for each extension which failed to load. This change is mainly directed at developers of extensions.

We have also made other various improvements and fixed a few issues.

AbuseCH Intelligence 2.0 Package

The soon to be released 5.7 version of Cerbero Suite Advanced comes with an improved version of the originally named ‘MalwareBazaar Intelligence’ commercial package. We have renamed the package to ‘AbuseCH Intelligence’ and greatly extended its functionality.

Check out the video presentation to quickly learn about its features.

Installing the AbuseCH Intelligence package from Cerbero Store takes only a few clicks.

Once installed, you can search malware samples on MalwareBazaar.

Searches can be performed using all supported parameters and also include recently uploaded samples.

Malware samples can be downloaded and analyzed right away, without ever leaving the Cerbero Suite user interface.

When you open a file in the analysis workspace, the complete MalwareBazaar intelligence can be accessed directly from the report.

Highlighted entries in the report can be activated to continue searching for additional malware samples.

The discovered malware samples can be batch-downloaded and are automatically added to the current project.

You can also perform custom searches on MalwareBazaar using the relevant action.

And, of course, all analyzed files are saved inside the current project.

We’re soon going to showcase the functionality of this package in more detail while performing real-world malware analysis.