This section deals with spreadsheet documents that contain malware samples. Please make sure that you have installed the Microsoft Office bundled program in your VM environment. Internet connection in your VM environment is also needed to make sure that the malware analysis can run smoothly in your VM environment.
We will now submit an Excel file as the malware document. Let us see the steps involved:
- Open a new Terminal tab (Shift + Ctrl + T) and type in the following command line:
$ python utils/submit.py --platform windows --package xls shares/CVE-2011-0609_XLS-SWF-2011-03-08_crsenvironscan.xls
Please make sure you have a Success message, as shown in the preceding screenshot, with task with ID 13. Windows will open the Excel document.
- Then let Cuckoo start the analysis process on the Guest OS:
- A warning pop-up window will appear. Again, we assume that the user didn't know what that warning was. So, we will choose I recognize this content. Allow it to play. and click on the Continue button. Wait a moment until the malware document takes some action. The VM will close automatically after all the actions are finished by the malware document.
- Let's look at the subfolder of cuckoo located at
storage/analyses/13. - Open the subfolder
reports, and then openreport.htmlin your web browser:
In the VirusTotal section, the malware was named as Exploit-CVE2011-0609.
- From the Dropped Files tab, it seems that the malware uses Shockwave Flash objects to run the exploit code. No bug on the Excel file is used. This malware uses a Shockwave Flash bug that may be available on the victim's computer:
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.