|
Lorna analyzed a reader submitted XPS file: a phishing attempt. I would like to provide some pointers for the static analysis of XPS files. XPS files are like OOXML files (MS Office files): mainly XML files inside a ZIP container, e.g. a file according to the Open Packaging Conventions specification. Here you can see the content with zipdump.py:
The presence of files with extensions .fpage and .fdoc is an indicator that this is a XPS file. We can also look inside the first file [Content_Types].xml, it defines all the MIME media types present in this archive:
You might notice some XPS MIME media types in this XML document. Extracting the attributes with xmldump.py will make this more obvious:
File 12 (1.fpage) is an XML file describing the content of a page:
We can see it's UNICODE, so let's decode it:
The phishing URL Lorna analyzed is visible in this output. We can also use re-search.py to extract all URLs found in this file:
Or even the URLs from all files, but this will give a long list with legitimate URLs, so I use option -u (unique) to print each URL only once:
It's also possible to extract the text rendered by the page file. It can be found in attributes UnicodeString:
If you have encountered XPS files used for phishing or other malicious activities, please post a comment.
Didier Stevens |
DidierStevens 300 Posts ISC Handler |
| Reply Subscribe |
Jun 26th 2018 6 months ago |
|
where can I find the sample files your using in the test, I want to try these scripts. Thank you
|
Anonymous |
| Reply Quote |
Jun 26th 2018 6 months ago |
|
MD5 60e09a7a2cc36d15b42580711d3fb706
|
DidierStevens 300 Posts ISC Handler |
| Reply Quote |
Jun 26th 2018 6 months ago |
|
And the campaign is still active:
https://www.virustotal.com/#/file/158c7fa52ce49fadfe0296bdf5adaea452744bd6223578643bfc904726dfa692/community From: xxxxxxxx [mailto:xxxxxxx@laytonconstruction.com] Sent: Wednesday, June 27, 2018 12:18 PM Subject: Payment Remittance Note Good Morning, Attached is the Payment Advice and check copy that we have processed. Prior to utilizing the funds, please wait for 3-5 days for your paper check to arrive by mail. Please feel free to contact me with any questions or concerns. we appreciate your business. Thank you have a great day |
CBob 21 Posts |
| Reply Quote |
Jun 27th 2018 6 months ago |
|
We are getting hit with what appears to be the same thing. had an attached xps file with a link to https:// areticaempresarial. com. br/microsoftsharepoint/ share.php
From:xxxxxx [mailto:xxxxx@newtecsales.com] Sent: Thursday, June 21, 2018 11:48 AM Subject: Remittance Advice Note from 06/21/2018 Dear Customer, Attached is the Payment Advice and check copy that we have processed. The payment date reflects the date at which the payment is processed by our bank. Prior to utilizing the funds, please wait for 3-5 days for your paper check to arrive by mail. This remittance is intended for credit & collection department only. Thank you for your business, |
Anonymous |
| Reply Quote |
Jun 29th 2018 6 months ago |
|
I received a similar sample this morning. File SHA256 is: 17e019947f793abd034652cb13c729577f1a175c2289104270ecd58378289d17. File was called Reveiew.xps. Currently a 0/67 on VirusTotal, and it looks like the site the hidden link goes to is down: hxxp://www. landing. com. py/project/file
|
Wade 1 Posts |
| Reply Quote |
Jun 29th 2018 6 months ago |
Sign Up for Free or Log In to start participating in the conversation!
