Malware Analysis

Word Macro Malware Analysis


Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836 Sample Download Source: beta.virusbay.io File Type: Microsoft Word Document File Format: .doc VirusTotal Scrore: 32/62 Document Preview: File Property: cmd> olemeta.py <filename> Document Macro Analysis: cmd> olevba.py -a <filename> Document_Open macro executes on opening document. The first thing I was trying to access Macro. By default it was […]

Excel 4.0 macro Trojan Downloader – Malware Analysis


Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c Sample Download Link: beta.VirusBay.io Application Name: Microsoft Excel File Type: xls VirusTotal Score: 29/60 I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis. OLEVBA.py First thing I did analysis of VBA macro source code in excel file using […]

PDF malware analysis


Hash: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0 Download sample link: Here File type: PDF VirusTotal score: 27/54   PDF Document Preview   PDFiD I have used PDFiD tool to analyse the header of pdf file. Observed file contains 24 URL’s. Next step is to extract URL’s from the document. I will use two tools here […]

Trojan Agent Tesla – Malware Analysis


Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Downloaded Sample Link: Click here Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information.   Browser Information: […]

Password stealer Trojan – Malware Analysis


Hi Visitor, I got this sample of malware shared on VirusBay. Sample below: SHA256: 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application. Upon execution, this file drops below two files at location C:\Users\<UserProfile>\AppData\Local\Temp\ Dropped files: C:\Users\<UserProfile>\AppData\Local\Temp\FB_2C02.tmp.exe C:\Users\<UserProfile>\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server) Upon execution of this file, […]

Trojan dropper bdf243b7a296f7aecc366c799e3fb865e 3aff7c72d8d942e2b2632a347fe5c3


SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3 I downloaded this sample from Malshare. I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution. Filename: help.exe SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4 It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t […]

Trojan downloader word macro


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808 Download link – VirusTotal I downloaded this word document and checked whether macro present and it auto executes on opening document. Yes, it does and it has obfuscated strings too. I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > […]