We begin with some basic static analysis. While we don’t see any interesting ASCII strings, we do see one interesting Unicode string: http://www.malwareanalysisbook.com/ad.html. We check the imports and exports of the program, and see only a few imports in addition to the standard imports, as follows:

SysFreeString
SysAllocString
VariantInit
CoCreateInstance
OleInitialize
OleUninitialize

All of these functions are COM-related. The CoCreateInstance and OleInitialize functions in particular are required in order to use COM functionality.

Next, we try dynamic analysis. When we run this program, it opens Internet Explorer and displays an advertisement. There’s no evidence of the program modifying the system or installing itself to execute when the computer is restarted.

Now we can analyze the code in IDA Pro. We navigate to the _main method and see the code shown in the following listing.

00401003  push    0               ; pvReserved
00401005  call   ❶ds:OleInitialize
0040100B  test    eax, eax
0040100D  jl      short loc_401085
0040100F  lea     eax, [esp+24h+(1) ppv]
00401013  push    eax             ; ppv
00401014  push    offset riid     ; riid
00401019  push    4               ; dwClsContext
0040101B  push    0               ; pUnkOuter
0040101D  push    offset rclsid   ; rclsid
00401022  call   ❷ds:CoCreateInstance
00401028  mov     eax, [esp+24h+❸ppv]

The first thing the malware does is initialize COM and obtain a pointer to a COM object with OleInitialize at ❶ and CoCreateInstance at ❷. The COM object returned will be stored on the stack in a variable that IDA Pro has labeled ppv, as shown at ❸. In order to determine what COM functionality is being used, we need to examine the interface identifier (IID) and class identifier (CLSID).

Clicking rclsid and riid shows that they are 0002DF01-0000-0000-C000-000000000046 and D30C1661-CDAF-11D0-8A3E-00C04FC9E26E, respectively. To determine which program will be called, check the registry for the CLSID, or search for the IID on the Internet for any documentation. In this case, these values are the same identifiers we used in The Component Object Model. The IID is for IWebBrowser2, and the CLSID is for Internet Explorer.

As shown in the following listing, the COM object returned by CoCreateInstance is accessed a few instructions later at ❶.

0040105C❶mov     eax, [esp+28h+ppv]
00401060   push    ecx
00401061   lea     ecx, [esp+2Ch+pvarg]
00401065❷mov     edx, [eax]
00401067   push    ecx
00401068   lea     ecx, [esp+30h+pvarg]
0040106C   push    ecx
0040106D   lea     ecx, [esp+34h+var_10]
00401071   push    ecx
00401072   push    esi
00401073   push    eax
00401074  ❸call    dword ptr [edx+2Ch]

Following this instruction, EAX points to the location of the COM object. At ❷, EAX is dereferenced and EDX points to the beginning of the COM object itself. At ❸, the function at an offset of +0x2C from the object is called. As discussed in the chapter, the offset 0x2C for the IWebBrowser2 interface is the Navigate function, and we can use the Structures window in IDA Pro to create a structure and label the offset. When Navigate is called, Internet Explorer navigates to the web address http://www.malwareanalysisbook.com/ad.html.

After the call to Navigate, there are a few cleanup functions and then the program ends. The program doesn’t install itself persistently, and it doesn’t modify the system. It simply displays a one-time advertisement.

When you encounter a simple program like this one, you should consider it suspect. It may come packaged with additional malware, of which this is just one component.