- Altered documents contain clues to previous versions – Binary chunks.
- Also contain misinformation
- They increase the filesize from the original 696Kb to 6.9Mb
- “Confidential” watermark: from GDIC?
- MSODatastore contains a Guccifer Clue.
The source of Guccifer’s 1.doc can be viewed in a browser:
view-source:https://guccifer2.files.wordpress.com/2016/06/1.doc
We can see that it’s mostly a text format. A real word .doc is a binary format and would look something like this in a browser.
view-source:https://www.benefits.va.gov/WARMS/docs/admin26/pamphlet/pam26_7/ch06.doc
Contained within the text of 1.doc are several encoded hex strings that contain the items mentioned above. Brief instructions about how to extract them yourself are at the bottom of this post, and I’ve uploaded B64 versions of some to dropbox.
“Russian Language” Theme
The Russian language in the documents has long been disputed, see for example Adam Carter’s excellent blog and links therein. In the source we can see the section where the Russian style comes from:
\par }{\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid12588815\charrsid11758497 \par }{\*\themedata 504b030414000600080000002100828abc13fa0000001c020000130000005b436f6e74656e745f54797065735d2e786d6cac91cb6ac3301045f785fe83d0b6d8 72ba28a5d8cea249777d2cd20f18e4b12d6a8f843409c9df77ecb850ba082d74231062ce997b55ae8fe3a00e1893f354e9555e6885647de3a8abf4fbee29bbd7 2a3150038327acf409935ed7d757e5ee14302999a654e99e393c18936c8f23a4dc072479697d1c81e51a3b13c07e4087e6b628ee8cf5c4489cf1c4d075f92a0b 44d7a07a83c82f308ac7b0a0f0fbf90c2480980b58abc733615aa2d210c2e02cb04430076a7ee833dfb6ce62e3ed7e14693e8317d8cd0433bf5c60f53fea2fe7 065bd80facb647e9e25c7fc421fd2ddb526b2e9373fed4bb902e182e97b7b461e6bfad3f010000ffff0300504b030414000600080000002100a5d6a7e7c00000
This is the “Russian” language theme and decodes as an XML docx theme as shown in the tree below. It really is a Russian theme. The only problem is: it’s damn easy to fake as I’ll show in another post.
├── [Content_Types].xml ├── _rels │ └── rels ├── theme │ └── theme │ ├── _rels │ │ └── themeManager.xml.rels │ ├── theme1.xml │ └── themeManager.xml
Edit: theme1.xml in G2.0’s doc seems to be exactly the same as this one and is mentioned in these MSDocs about XML SDK.
The ColorScheme
Not the most thrilling thing in the world, but included for completeness.
BLIP1 – WMF with Confidential .tga file
Link to Base 64 Encoded version
WordPress doesn’t allow .wmf or .tga images “for security reasons” so this is a PNG copy of it.
Strapping on the veterinary rubber gloves and going elbow deep into the WMF that that “wraps” the .tga file we find some interesting stuff:
We’ve got GDIC mentioned at least twice (the only possible relevant thing I can find for GDIC is General Defence Intelligence Committee), System, IBM, DOS, and what could be a sort of file path heavily obfuscated. I’ve tried finding Win32FileTimes without success. Unfortunately WMF/EMF is an old format and isn’t very well documented.
This watermark has been added as it isn’t in the original docx.
- We presume by G2.0.
- The question is: why? Does he want us to find GDIC?
- Is he implying he’s also hacked GDIC?
- Oh Lord, Is it a SIGN?
BLIP2
Is just the png from the file:
BLIP3
Link to Base64 encoded file [Windows users may want to virus check this after decoding]
It’s a known problem that if a WORD .doc with graphics is saved as an .rtf the filesize balloons as it makes two copies of images, one original, and one as a WMF. While it’s a known problem this difference in file sizes seems a bit extreme. There may be something else going on here. Guccifer2.0 said he left some surprises. Blip3 is supposedly the same full size PNG as BLIP2 but just wrapped in a WMF shell for compatibility. Yet BLIP3 is 1.8 Mb and BLIP 2 is only 247kb. What’s going on?
Opening via imagemagick shows a tiny 69x69px version of BLIP2 {shown top left}. Clicking on properties show data of an unknown type attached to the image:
- The PNG is there right enough from offset 0x164 to 0x3DF68 (253.8K) but the file continues all the way to to 0x1C4154 (1851.7K)
- I stopped counting at 60 the occurrences of the string “WMFC”. As far as I can tell the term for a Windows Meta File is WMF, not WMFC. Searching for WMFC only brings up “Wait For Memory Function Complete”… Crikes.
- Nobody panic. It’s either a mystery that’s either irrelevant or utterly vital to the survival of the species.
Part 3 looks at the only solid breadcrumbs that G2.0 has left us: the MSODatastore
————————————————————————————————————-
How to find the Binaries:
Scheme is essentially the same for all. They’re chunks of data you’ll find in the source here:
view-source:https://guccifer2.files.wordpress.com/2016/06/1.doc
E.g. for the “Russian” Theme:
- Open the above in the browser
- Search for “*\themedata”
- Copy hex to a txt file, say russianfile.txt
- Convert to hex to binary (on Linux:):
-
xxd -r -p russianfile.txt >> russianfile.bin
-
- Then either
- view in a hex viewer, or
- In the case of the Russian theme, it’s XML so copy to a .zip extension and unzip then it’s in plain text
For blips search for “blipuid”, for datastore, err, “datastore”
m086fbd7faaelzm7k3fcqkvbwjppg6e3vtk
LikeLike
j2mphpflhocsndolmhhqsyxpyxr3ik9ezcg25
LikeLike
s5ioklihkkfoq9rhpdkmvu0l1tuzlgca28jy8
LikeLike
kwuubx9tbw60hlitgpbym6rxs5lbcsak81yq
LikeLike
j9eoohmdogjku5vdt9oizq4h5pyvpcn4llba
LikeLike
yakypnnjpmkqvbwjufpo0w5n6vz1qioemvck
LikeLike
zqe85h3d5g0kb5cda95igqlhmpfv6c482pse
LikeLike
x1mogpelgobsmdnllhgqrywpxxq3hkgddu3j
LikeLike
udzgs2qys1n5yqzyxus33b829a2gtxsqp7fw
LikeLike
mfexuhsdugpk051dz9ui5qahbp4vvcm3q87yw
LikeLike
yjg3yjwfyitm475f3byk9sejfr8xzeq6h4yun
LikeLike
r4nsjqhmjpetpeqmoijruzzq0yt4klbe5im8b
LikeLike
tcr7rupqrtmxxiyqwmrv237u8218spjidmucj
LikeLike
pbzeq2oyq1l5wqxyvuq31b627a0grxiqcutki
LikeLike
oxrscuaqct7xiijqhmcvn3sut2m8dp6p3hk79
LikeLike
ia9kpcn8pbkfv0w8u4pd0l5c6kzqq7j7gzxpm
LikeLike
p9fpoimeohjlu6vetaojzr4i5qywpdl6j80yp
LikeLike
kjzmy2wyy1t54q5y3uy39be2fa8gzxvqtsaiz
LikeLike
zivhjteemadpdyxe4iqozyy8gw920j4nlda
LikeLike