SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808 Download link – VirusTotal I downloaded this word document and checked whether macro present and it auto executes on opening document. Yes, it does and it has obfuscated strings too. I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit I renamed autoopen() to… Read More Trojan downloader word macro
I have downloaded JS trojan downloader from VirusSign to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file. On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86… Read More Trojan- JS downloader
I came across this sample from one of Twitter post and immediately I downloaded this sample from virusbay.io for analysis. First I used oleTools to analyse word macro. Macro will execute on opening file. It creates text file. It executes PowerShell command. it has base64 used to obfuscate the string. And it creates two bat… Read More Word Macro backdoor Trojan
I had emailed a recruiter last year for a job opportunity. He reverted back year later with attachment and it was encrypted and provided password. Unzipped and looked for the properties of word document. I analysed file using Oletools and the result showed it as a suspicious file. I found value (“1jwe7d7n1544”) in the Macro code… Read More Microsoft word document malware analysis
Malware Analysis 