Malware Analysis

by Anurag


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808 Download link – VirusTotal I downloaded this word document and checked whether macro present and it auto executes on opening document. Yes, it does and it has obfuscated strings too. I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit I renamed autoopen() to …

Continue reading


SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29 I have downloaded word document for analysis from VirusTotal I checked file with Oletools to verify macro exist and is it auto executable. In below screenshot, it can be seen, the macro is present and auto executable. I opened word document and Enabled Editing. Views > Macros > View Macros > Select …

Continue reading


I came across this sample from one of Twitter post and immediately I downloaded this sample from virusbay.io¬† for analysis. First I used oleTools to analyse word macro. Macro will execute on opening file. It creates text file. It executes PowerShell command. it has base64 used to obfuscate the string. And it creates two bat …

Continue reading