|
Lorna analyzed a reader submitted XPS file: a phishing attempt. I would like to provide some pointers for the static analysis of XPS files. XPS files are like OOXML files (MS Office files): mainly XML files inside a ZIP container, e.g. a file according to the Open Packaging Conventions specification. Here you can see the content with zipdump.py:
The presence of files with extensions .fpage and .fdoc is an indicator that this is a XPS file. We can also look inside the first file [Content_Types].xml, it defines all the MIME media types present in this archive:
You might notice some XPS MIME media types in this XML document. Extracting the attributes with xmldump.py will make this more obvious:
File 12 (1.fpage) is an XML file describing the content of a page:
We can see it's UNICODE, so let's decode it:
The phishing URL Lorna analyzed is visible in this output. We can also use re-search.py to extract all URLs found in this file:
Or even the URLs from all files, but this will give a long list with legitimate URLs, so I use option -u (unique) to print each URL only once:
It's also possible to extract the text rendered by the page file. It can be found in attributes UnicodeString:
If you have encountered XPS files used for phishing or other malicious activities, please post a comment.
Didier Stevens |
DidierStevens 604 Posts ISC Handler Jun 26th 2018 |
| Thread locked Subscribe |
Jun 26th 2018 3 years ago |
|
where can I find the sample files your using in the test, I want to try these scripts. Thank you
|
Anonymous |
| Quote |
Jun 26th 2018 3 years ago |
|
MD5 60e09a7a2cc36d15b42580711d3fb706
|
DidierStevens 604 Posts ISC Handler |
| Quote |
Jun 26th 2018 3 years ago |
|
And the campaign is still active:
https://www.virustotal.com/#/file/158c7fa52ce49fadfe0296bdf5adaea452744bd6223578643bfc904726dfa692/community From: xxxxxxxx [mailto:xxxxxxx@laytonconstruction.com] Sent: Wednesday, June 27, 2018 12:18 PM Subject: Payment Remittance Note Good Morning, Attached is the Payment Advice and check copy that we have processed. Prior to utilizing the funds, please wait for 3-5 days for your paper check to arrive by mail. Please feel free to contact me with any questions or concerns. we appreciate your business. Thank you have a great day |
CBob 23 Posts |
| Quote |
Jun 27th 2018 3 years ago |
|
We are getting hit with what appears to be the same thing. had an attached xps file with a link to https:// areticaempresarial. com. br/microsoftsharepoint/ share.php
From:xxxxxx [mailto:xxxxx@newtecsales.com] Sent: Thursday, June 21, 2018 11:48 AM Subject: Remittance Advice Note from 06/21/2018 Dear Customer, Attached is the Payment Advice and check copy that we have processed. The payment date reflects the date at which the payment is processed by our bank. Prior to utilizing the funds, please wait for 3-5 days for your paper check to arrive by mail. This remittance is intended for credit & collection department only. Thank you for your business, |
Anonymous |
| Quote |
Jun 29th 2018 3 years ago |
|
I received a similar sample this morning. File SHA256 is: 17e019947f793abd034652cb13c729577f1a175c2289104270ecd58378289d17. File was called Reveiew.xps. Currently a 0/67 on VirusTotal, and it looks like the site the hidden link goes to is down: hxxp://www. landing. com. py/project/file
|
Wade 1 Posts |
| Quote |
Jun 29th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
