Malware Analysis

by Anurag


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808 Download link – VirusTotal I downloaded this word document and checked whether macro present and it auto executes on opening document. Yes, it does and it has obfuscated strings too. I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit I renamed autoopen() to …

Continue reading


SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29 I have downloaded word document for analysis from VirusTotal I checked file with Oletools to verify macro exist and is it auto executable. In below screenshot, it can be seen, the macro is present and auto executable. I opened word document and Enabled Editing. Views > Macros > View Macros > Select …

Continue reading


I have downloaded JS trojan downloader from VirusSign  to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file. On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download  SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86 …

Continue reading