Non-PE File (e.g. Malicious Office Files) Support on Sandbox about noriben HOT 3 CLOSED

Thanks for the compliment!

Currently DOCs are disabled due to various calling problems that can occur. It would assume that you have a DOC viewer already associated with the filename. Plus, in almost all cases, you would have to manually enable Macros or do other manual operations after launching the file. In that case, it's easiest to just copy the file in and do nothing else.

Once copied in, you can then interact with the VM, manually run the DOC, ensure it detonates, then wait out the timer (or cancel it).

However, if there's examples where "running" a DOC file, or other non-PE files, would automatically cause malicious activity to occur then I can look at adding that functionality.

from noriben.

I have been analyzing malicious office files (e.g. doc, rtf, xls, xlsx, etc.) on a Win 7 sandbox that has Noriben on it. I start noriben.py first, and then I open the malicious document. Procmon captures all the good stuff for an analyst (e.g. PowerShell commands, dropped files, etc.).

Statistically, malicious office files dominate the scene because of the use of using windows scripting files embedded into the macros (wmic, PowerShell, mshta, etc.)

To avoid manually "enabling" macros on an office file Microsoft allows macros to run without user interaction (see the link below).

https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6

from noriben.

I was able to find a way to do this, but it's not great.

By testing for an executable run, and monitoring for an error, it then switches to "start", which lets Windows open a file with its associated program. If this fails or not, Noriben will continue running. I've tested it with Word documents, and unknown files (system pop-up to choose an app appears).

Output looks like:
[CreateProcess] python.exe:3252 > "%WinDir%\system32\cmd.exe /c start 4.docx" [Child PID: 1276]

Pushing this up now

from noriben.