Skip to main content

EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample Report

The obfuscation

The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality

Using our Cryptam multi tool, we'll decode the EPS block manually:

$ php cryptam_multi.php eps.test -xor c45d6491
using XOR key c45d6491

$ ./quicksand.out eps.test.out
 -0> root {7}
  qstime:2017:05:11 14:08:48

Deobfuscated PostScript

We've added a new PostScript XOR obfuscation warning_EPS_xor_exec Yara signature to our QuickSand_Lite project our GitHub.


CVE-2017-0262 Sample [Report]
Filename Confirmation_letter.docx.bin
Size 251036 bytes
MD5 2abe3cc4bff46455a945d56c27e9fb45
SHA1 0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee
SHA256 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490

CVE-2017-0261 Sample [Report] (obfuscated)
Filename Trump's_Attack_on_Syria_English.docx
Size 268950 bytes
MD5 f8e92d8b5488ea76c40601c8f1a08790
SHA1 d5235d136cfcadbef431eea7253d80bde414db9d
SHA256 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9


Popular posts from this blog

Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and

Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.

ResultsPDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.

Cryptam and for documents
Both  Cryptam and will parse all the various streams that can occur within an Office document such as Word, PowerP…

Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.

We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.… Open Source version released

Today we are officially launching an open source licensed version of - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo

In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection
WordExcelPowerpointRTFMime MSO xmlEmails