Malware Analysis

by Anurag


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808 Download link – VirusTotal I downloaded this word document and checked whether macro present and it auto executes on opening document. Yes, it does and it has obfuscated strings too. I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit I renamed autoopen() to …

Continue reading


SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29 I have downloaded word document for analysis from VirusTotal I checked file with Oletools to verify macro exist and is it auto executable. In below screenshot, it can be seen, the macro is present and auto executable. I opened word document and Enabled Editing. Views > Macros > View Macros > Select …

Continue reading


I came across this sample from one of Twitter post and immediately I downloaded this sample from virusbay.io  for analysis. First I used oleTools to analyse word macro. Macro will execute on opening file. It creates text file. It executes PowerShell command. it has base64 used to obfuscate the string. And it creates two bat …

Continue reading


I downloaded this sample for malware analysis and change the extension to .LNK which is Microsoft Shortcut. Right clicked on file and navigated to shortcut and found that there is target is PowerShell embedded Below is PowerShell script which will drop another PowerShell script from the URL. URL is http[:]// timebounder[.]ru and downloading PowerShell script …

Continue reading


I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK) When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening. Target Type: Application Target: PowerShell …

Continue reading