[Notes] New Malicious InPage document

Last few days, i’ve been tweaking several of my crappy codes. One of the codes were actually crawling and finding malicious .inp files.

One interesting file that caught my eye is the following file since the URL is still alive.

It didn’t take more than 5mins and we can find the embedded executable within it.

I’ve attached the file in case anyone else didn’t get to download it in time.
The password to the zip file is infected29A

Being the curious me….i’ve done my n00b dilligence checks on VT

It seems like there is another interesting link.

So i immediately downloaded it

Another quick peek and we can see that this is an RTF exploit file and also containing an embedded executable.

The password to the zip file is infected29A

Maybe these will be interesting to someone out there.

Have Phun
Jacob Soo

[Notes] Possibly PowerRatankba Chm file

I was bored and found this file with an interesting filename, “22 European Nations Form New .chm”

sha256 : ebec8440590cdea8433079cf2b3f3259694035a9ab80a163f1f0ffcf606939dc
ITW Filename : 22 European Nations Form New .chm

A quick look at the file, it’s actually a zip file with another file within it, “mynakedpic.chm”
That filename, reminded me of this sticker i got from a conference years ago.

sha256 : c9b26ffb11ba2952afaa3e6a96a7089820366eaaa901240f60b8ca6ccd78beef
ITW Filename : mynakedpic.chm

Within this chm file, we can find this interesting html file within it.

We can see the contents here.

Alright, it’s slightly obfuscated, we can clean this up.

We can see that it’s downloading the 2nd stage from “hxxp://png[.]realtimenews[.]tk/fssct.jpg”
The hash of “fssct.png” is 61fa14c91f3014baa8ab09056633d1f9311184564ed49e30aba5203ea3071f25
The contents of that file is here: https://ghostbin.com/paste/t79kd

For those who are too lazy to decode it,i have decoded it for you and put it up on https://ghostbin.com/paste/cdkjf
As you can see that it’s downloading from “hxxp://png[.]realtimenews[.]tk/fs.png”
The hash of “fs.png” is “e95cb15d040e95fef37d8c2cec2ccca5914a116784c4d45ebfb94775fcb9a522”

I have extracted the payload and the hash of the payload is as follows.
SHA256 : fb18b8cc28da930ac06cd7494a4e5f69b91da6669586408293ac842dded8d557

Within the payload, we can find the following Javascript

From the Javascript, we can find 1 associated BTC account address, https://blockchain.info/address/1NEGq56fJ1kVXLAo1HY5XBcU3p4y2yxPh4
We can also see that it’s downloading another Json from “hxxp://news[.]realnewstime[.]xyz/news/us”
The hash of the json file is “210dcb3a084179f7489a43000c04082b7d2c8606c077d44a9d912dbc530d542e”

As i’m used to seeing Base64 encoded strings, immediately i knew that is a Base64 encoded zip file.

The hash of the zip is “8cd64f36a12332d2c257713aeb463a44aec924addb19d98dd8b8d1d1be22927b”

Within this zip file, there is another malicious chm file.
sha256 : 413ec374a29f8595e2c90d1549968e3d71db0132b5bfa89b4bb301b132216435
ITW Filename : Wood Group in deal to take over Amec Foster Wheeler – News.chm

After analysing the Javascript within the new chm file, it’s the same as the first one which we found.
The payload will require another writeup on it.

We can find other similar samples that are using the same “Load_HTML_CHM0.html”

Have Phun
Jacob Soo

[Notes] Possibly GoblinPanda

The sample uses CVE-2017-8570 for the exploit, the execution of the payload is through OLE packager.dll and dropped SCT file

sha256 : 95c2131e5ae4460c025aef3338cb73ccb4c66be0f9a2879567844f071079bc29
ITW Filename : biên bản.doc (Google Translate to Report.doc)
Exploit Used : CVE-2017-8570, execution of payload is through OLE packager.dll and dropped SCT file

Based on the document, it seems to be targeting Govt.

Let’s take a look closer at the file and we can see 2 embedded OLE objects.

Based on the screenshots, we can see that it’s using CVE-2017-8570 to drop the SCT file to %TMP%\JWL5OS324D0G11N.sct

Now let’s extract out JWL5OS324D0G11N.sct

Ok, let’s deobfuscate it and we should get back something slightly more cleaner to look at.

In order to make it easier for everyone to see what is the Javascript doing, you can take a look at the integer array that it generated here:

After the integer array is generated, it’s used to form back vmhelpAssist.exe
The hash of vmhelpAssist.exe is 0dadbd211766aa2d5e3c16fb3baca05af04205ccda8f48fabffdc8a29727b49c

If we were to spend time looking at vmhelpAssist.exe, we can find out that it’s dropping 3 other files.

%APPDATA%\Microsoft\Windows\Start Menu\firefox.lnk –> 0387de24c56f7c8cb95586eba5992ce7b53818c31aa56cae8a98cd6987314f39
%APPDATA%\Microsoft\Windows\Templates\ScnCfg.exe –> 77361b1ca09d6857d68cea052a0bb857e03d776d3e1943897315a80a19f20fc2
%APPDATA%\Microsoft\Windows\Templates\vsodscpl.dll –> fd9b2fd96d3327db0fee12e8221351e4ea7a86dd5ff4571b95bfdf2c85fb79c3

Looking deeper at firefox.lnk, we can see that it will execute ScnCfg.exe
If you are familiar with ScnCfg.exe, it’s actually McAfee VirusScan
In this case, it’s using DLL Side-Loading, vsodscpl.dll is the malicious file.

The malware will beacon to “tintuc[.]vietbaotinmoi[.]com”

Indicators of Compromise (IOCs)

biên bản.doc –> 95c2131e5ae4460c025aef3338cb73ccb4c66be0f9a2879567844f071079bc29
JWL5OS324D0G11N.sct –> ad72a65c19e44b86b250aa5350c76ae6d8718e4c803fb48db765466291c8d3b3
vmhelpAssist.exe –> 0dadbd211766aa2d5e3c16fb3baca05af04205ccda8f48fabffdc8a29727b49c
firefox.lnk –> 0387de24c56f7c8cb95586eba5992ce7b53818c31aa56cae8a98cd6987314f39
ScnCfg.exe –> 77361b1ca09d6857d68cea052a0bb857e03d776d3e1943897315a80a19f20fc2 (This is a Legit and Clean file)
vsodscpl.dll –> fd9b2fd96d3327db0fee12e8221351e4ea7a86dd5ff4571b95bfdf2c85fb79c3

C&C servers

[ Sharing ] Analysing macOS samples with “Added Features”

It’s being a while since i’ve last written anything at all.
Today i’ll go through quickly an interesting mac OSX signed sample that collected user’s privacy information and uploaded to a third-party server.
Surprisingly no AV flagged this.

The collected information are shown below:
QQ, Weixin, Mobile, Email, AppList, CPU, RAM, Mac Address, Public IP, Private IP, etc

[ Sample used in the analysis ]
MD5: faed65cdfac39d61ebd1079c50e80471
SHA256: 292bc285e35af31e0d3607c820fd60cb18ebbbc88ba1914d4af4b322af1d9ec2

[ Part 1 : Getting Started ]
For those who want to follow along.
Please do take note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A292bc285e35af31e0d3607c820fd60cb18ebbbc88ba1914d4af4b322af1d9ec2

As this is a Mac App, let’s take a look at the Mach-O inside it.
One thing to take note is that Mach-O binary has a series of headers that are used to perform certain operations when a binary is loaded.
On particular thing which i’m usually interested in is “LC_LOAD_DYLIB”
“LC_LOAD_DYLIB” header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time.

2 interesting things can be found in this Mach-O as shown below.

The image shows that the Mach-O loads two dynamic library files libcJFishPoolHook.dylib and libXMindHook.dylib
Let’s load libcJFishPoolHook.dylib to IDA Pro or Hopper.
Immediately after the Mach-O is loaded in IDA Pro , we can see this.

This confirm that this particular application is trying to get the following information from the unspecting user.
QQ, Weixin, phone number, email, OS, CPU type, RAM, MAC address, Public/Private IP address, user name, application list, device ID, Information, etc

If we were to look deeper, we can see that the application will upload all these information to “http://dataapi.makeding.com:27169/index.php/DataApi/data”

For those who have done forensics on QQ before, We can also see that in “getContact”, this application is trying to steal users’ contacts in QQ by accessing the data at
“/Library/Containers/com.tencent.qq/Data/Library/Application Support/QQ/”

Another thing we can find while auditing the binary, we can see that all the data which are being exfiltrated are AES encrypted and the password is “iMdpgSr642Ck:7!@” without the double quotes as shown below.

From how i see this from a static analysis point of view, the person behind this probably took legit apps and added “Extra Features” to it.
But why is it sending data back to “makeding[.]com”

So who signed this and who is this developer?

Based on the name of the developer’s name, i’ve found more apps that this developer have “pushed” out other apps with “Extra Features”
The following are the hashes by this Developer.


It’s almost 3am here. I’ll just end this abruptly and let you all have phun analysing this.

Have Phun
Jacob Soo

[ Sharing ] Analysing simple tricks used in malicious documents

Today i’ll go through with everyone on how to analyse some of the simple tricks used in malicious documents.

The first example that we will go through is a ppsx file using CVE-2017-0199 with “PPSX Script Moniker” bug
SHA256 : d4b345ed6b83fe477f3b30a4f4d124284fb73c38ec918d71284f6abf48982c23
ITW filename : 0Baptist U China1.ppsx
First Submission : 2017-08-10 16:44:45
Last Submission : 2017-08-10 16:44:45


The sample is trying to execute the following scriptlet, script:hxxp://
So you might ask “But how do we normal users know that?”
So loading it up with Profiler, we select “ppt/slides/_rels/slide1.xml.rels” and we can see the following image.

So now let’s inspect the contents of jf93jf8yu98yretghw43k4i2i3i4.sct

Contents of jf93jf8yu98yretghw43k4i2i3i4.sct:

Ok now let’s decode the base64 encoded string and see what jf93jf8yu98yretghw43k4i2i3i4.sct is trying to execute in the PowerShell script.

Base64 Decoded String:

After decoding and decompressing, the string looks like the following:

Base64 decoded and decompressed String:

As we can see from the code snippet,it will send back data about the victims’ machine and send it back to hxxp://
After that it will fetch instructions from hxxp://

If we were to execute the following curl command:

We can see, it’s trying to run a “dir” command on the victims’ machine and send back the data.

Ok let’s move on to another sample.
The next example that we will go through is a chm file. I decided to go through CHM after i read a DeviceGuard UMCI bypass using CHM today, https://msitpros.com/?p=3909.
I won’t go through how the bypass works as the blog post is quite detailed enough. I’ll focus on an old example that was distributing PlugX.
There is a much comprehensive article on chm analysis https://tuts4you.com/download.php?view.2796
SHA256 : 7f4062a38dc5d40eec0ddfd8be6e60c01567f70dfa6ec065cb8ddf996251f369
ITW filename : My Document22s.chm
First Submission : 2017-08-10 07:59:50
Last Submission : 2017-08-10 07:59:50


Ok, let’s load it with Profiler and do some basics DFIR.

As we can see that the DWORD at offset 0x0014 is 0x000804
With reference to
http://chmspec.nongnu.org/latest/, this ID
is the user language ID (from GetUserDefaultLCID) of the
Operating System at the time of compilation.
This means that the default language is Chinese Simplified (Windows Language ID).

If we look at the DWORD at offset 0x0010, it’s 0x4020AE9E
We now know the human readable timse stamp is GMT: Wednesday, February 4, 2004 8:34:38 AM
A timestamp. With reference to http://chmspec.nongnu.org/latest/, this is
derived from GetFileTime() function and is the value of the
dwLowDateTime member of the last write time parameter.

Ok now let’s unzip the chm file as chm is sort of like a zip container.
So let’s load unzipped folder with Profiler again and we can see the following image.

We can see that there are 3 html files. But the first one that is shown to victims is main.html and we can find this interesting code snippet.

As this is fairly trivial to deobfuscate, i won’t go through it but you can use http://dean.edwards.name/unpacker/ to deobfuscate it easily.
We should get back the following code snippet.

Hmmm…the Javascript still look messy. Ok now we can either decode it again or use http://jsnice.org/.
We should get back the following:

A quick glance and we can see that it’s trying to execute the codes in 1.htm.
So let’s move over and take a look at 1.htm

As we can see from the code snippet below, that it’s trying to decode base64decode the base64 encoded string and execute it.
We can also see that it’s trying to base64 decode “bin.base64” but we can’t find it here. Let’s get back to this later. We can also see the dropped payload is named as “MsMpEng.exe” ^^

After base64 decoding, we get back the following. It seems like it is trying to execute xml.htm. Ok, let’s look at that now.

Checking out xml.htm, we can spot “bin.base64” which we found in 1.htm. So what is the base64 encoded blog.

Once we base64 decode it, we get back the payload as shown here.

The dropped payload is actually PlugX and there are many articles on it so i won’t go into the details of it as well.
You can read up on PlugX here:

The details of the dropped payload is as follows.
SHA256 : 6a60e950f06a3d9b0eaac81d69a3a6da9e04eff5db9f094ad0a06f7bc983092d
ITW filename : MsMpEng.exe
First Submission : 2014-06-13 07:14:21
Last Submission : 2015-03-12 10:00:17

Ok let’s move on to another sample.
The next example that we will go through is a docx file using CVE-2017-0199
SHA256 : db20e146714121fa02d24a7de2ee0132052e0202856396c95e191453badf7239
ITW filename : Payment_Advice.docx
First Submission : 2014-06-13 06:18:04
Last Submission : 2017-07-04 09:44:54


So let’s load this file with Profiler again and we can see the following image.

As we can see here:

There is an externally linked OLE Object located at, hxxps://a[.]pomf[.]cat/xhiuyr[.]doc

So let’s download this file.
SHA256 : 659CD31DAB50248F741C822C2641B65B5314DB043BFADDE32CD9051AF3FC5FE4
ITW filename : xhiuyr[.]doc

Ok, so this file is not uploaded to VirusTotal yet.
Never mind, let’s load it with Profiler again. We can see that it’s trying to download and execute the binary from hxxps://a[.]pomf[.]cat/kzwhhg[.]exe

Let’s go through another docx file using CVE-2017-0199
SHA256 : f0f6a33e779ebc2ee9553cf413fc93d4236aefb970fd4a4435b45957f0799d9a
ITW filename : BL_INV#086395_PL.docx
First Submission : 2017-08-09 10:50:30
Last Submission : 2017-08-09 10:50:30


So let’s load this file with Profiler again and we can see the following image.

As we can see here:

There is an externally linked OLE Object located at, hxxp://uploads[.]shanatan[.]moe/yytvit[.]doc

So let’s download that as well.
SHA256 : 98ccf03a2fea4984ffe71acd2326e1f7533db78e4f487149daf08ea0935c1534
ITW filename : yytvit.doc
First Submission : 2017-08-03 12:46:47
Last Submission : 2017-08-09 03:11:53

Again, we can load it with Profiler and we can see that this is another CVE-2017-0199 file.

This time round, it’s downloading from hxxps://i[.]memenet[.]org/wfedgl[.]hta
Using curl command, we can see that the wfedgl[.]hta contains a JavaScript.

Now let’s do url decoding of the string and we should get back this.
So it’s trying to execute PowerShell and download the malicious binary from hxxp://uploads[.]shanatan[.]moe/wzglvz[.]exe

The next example that we will go through is a rtf CVE-2017-0199 exploit.
SHA256 : 5e226dbb90541a61203eeb4baef01326aa67a7e9461d1efec0d786c39781aeb7
ITW filename : CN-17069 REQUIRED.doc
First Submission : 2017-08-14 02:47:32
Last Submission : 2017-08-14 05:36:46


Loading up on Profiler, we can see that the sample contained an OLE object as shown here:

However, we can’t find any urls like any other “CVE-2017-0199” samples. Now let’s open it with Notepad++ and check out the RTF file.

Immediately one interesting thing that caught my eye is this string here: {\*\b 0{\*\pxe b}
If we read the specifications on http://www.biblioscape.com/rtf15_spec.htm,

\b turns on bold, whereas \b0 turns off bold.

So let’s just remove {\*\b 0{\*\pxe b} and load it with Profiler again and see whether it helps.
This time round we can see a url, “HtTP:\\193[.]29[.]187[.]49\qb.doc” as shown below.

So now let’s download the other “doc” file.

Inspecting qb.doc with notepad++ and we found this interesting code snippet

It’s not difficult to understand that piece of code snippet:

We can see that it’s downloading from tartakpiotrkow[.]com/.cache/en/emma.exe. So let’s download that.

The downloaded emma.exe is actually LokiBot. There is a detailed paper on LokiBot which you can read it up here:

The hashes of the 2 files are as follows:
Filename : qb.doc
SHA256 : 31a5b4331429bd6e406c5fb00e814ddafd69b73c71f63c64559e1ee5a1260b94
Filename : emma.exe
SHA256 : ba5271c01380cc148b608a1d0cbed39ef2882bcbf304029ea96d672ff223f73e

The next example that we will go through is a pptx file using mouseover feature of PowerPoint.
SHA256 : b26da51a70618b68a479e21bce499c20d4b280d7c79aa6b054da82c747ccfba1
ITW filename : sample.pptx
First Submission : 2017-08-07 11:05:38
Last Submission : 2017-08-07 11:05:38


Loading up on Profiler, we can see that the sample is trying to abuse the mouseover feature of PowerPoint to launch commands.
This is basically done by using the ppaction:// protocol to launch a commands.

We can see the following codes in “ppt/slides/_rels/slide1.xml.rels”

As we can see here, it’s trying to download from hxxp://youthservicesballarat[.]com[.]au/images/kubrickhead[.]jpg and using msiexec to execute it.

SHA256 : fabcee5f4bab02700375db8a6b1e6a04372f19a4af98d2652ddcc15915374e02
ITW filename : kubrickhead.jpg
First Submission : 2017-08-07 04:30:43
Last Submission : 2017-08-07 04:30:43

If we were to inspect it with Profiler again, we can see that this is really not a jpg file but an MSI installer.

However, we can see that within the msi file, there is a .NET malware.
I shall leave the reversing of the malware as an exercise for the readers.

Thanks & Regards
Jacob Soo

[ Fake DnB documents malspam delivers Trickbot banking Trojan ]

I happened to chance upon this alert from Singapore Commercial Credit Bureau as shown in the image below.

I got interested in this since it’s a Singapore company giving this alert. I started looking at the samples from VirusTotal and found this interesting email.
An email with the subject of “FW: Case DNB928929” pretending to come from “Dun & BradStreet” but actually coming from a look-a-like domain “” with either a malicious zip attachment containing a .doc file or a .doc attachment delivering Trickbot banking Trojan.

As the malware authors are using email addresses that is similar to the real “Dun & BradStreet” and subjects that will scare or entice a user to read the email and open the attachment.

The email looks like:

The hash of the malicious doc is: 79344f12ecfbd478a564297e339067180625e83c7266c4cab39b2f68440fcb6b

If we were to analyse the malicious doc, we can see the following VBA within it.

For simplicity sake, i’ve made a simpler version to show the decoded string here: https://dotnetfiddle.net/31w0YF
As we can see from the code snippet below, the VBA in the malicious doc will download the payload from “http://calendarortodox[.]ro/serstalkerskysbox.png

That “serstalkerskysbox.png” is actually Trickbot
The hash of that Trickbot is 3e225d16e486fae7df684d73c6e4531fbaf203b898ea899623cf5150a0f13652

As hasherezade already made an awesome video on unpacking Trickbot. Users can just watch the youtube video and learn from it.

As a gentle reminder to all users.
PLEASE be very CAREFUL with email attachments. All of these emails usually use Social Engineering tricks to persuade you to open the malicious attachments that comes attached with the email.

Have Phun
Jacob Soo

[ TECHNICAL TEARDOWN: DBS MalSpam Attack – Bank Fund Transfer ]

Previously, we have written about MalSpam attack in Japan.

Recently, we have found several emails that are being sent out targeting DBS users.

[ Sample used in the analysis ]
MD5: 0a7150f13a5ad4e496992374082232f8
SHA256: d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
Sample: DBS.Malspam

[ Part 1 : Getting Started ]
For those who want to follow along.
Please do take note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Opening up the .eml file with VisualStudio Code, we can see that the email contain a malicious DOC file (271-20170627-55147_109.doc).

We can also see the contents of that email.
Dear Customer,

This attached Advice is sent to you for information only.

This is an automatically generated notification.

Please do not reply to this email. Contact us at our corporate hotline at 1800-222-2200 between
8:30am to 6:15pm, for any service requests.

Yours Sincerely,
DBS Bank Ltd


However, we are more interested in the malicious DOC file. Let’s Base64code decode that back into a DOC file. After decoding that back to a file, we can see that this malicious DOC file contains VBA as shown in the image below.

As the VBA is quite short, we can extract out the decryption method and make use of dotnetfiddle to have a quick decryption of the strings. I’ve made a simple fiddle to show the deobfuscated strings here:

As you can see here, the VBA will attempt to download the payload from

The downloaded payload is developed in VB.net.
A quick analysis on the downloaded payload indicates that it’s most likely a dropper.

So let’s load it up in OllyDbg and set a “BreakPoint” on “WriteProcessMemory
Now let’s do right-click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.

Now you can step through it and eventually you will reach to this point as shown in the image below.

Now right-click on “Buffer” and click on “Follow in Dump” and you can use HxD or Profiler to carve out the dropped payload.

Now dump out the dropped payload.
We can see that it’s yet another Obfuscated .NET malware.

We can use de4dot to deobfuscate it and we should get back a cleaner version of it as shown below.

As i don’t want to bore everyone. A quick look at the decoded strings, the malware is most likely AgentTesla.

The stolen credentials are sent back via email to:
username: tou013@efx.net.nz
password: etou01315

Here is the decoded strings

Thanks & Regards
Jacob Soo

Emails containing malicious Doc

Malicious Doc

Downloaded Payload – 702a17b7accceaa6ffb817a3adf37323a34944d643cbb4524c4e6b7c0900c5e5
Dropped Obfuscated TeslaAgent – 4B6164F16309F6E8426FB89F4AF810929FE574B2EBB724F5CB2237863736E316
Deobfuscated TeslaAgent – 6EAD076346EC568160821BB47F49D463689656F102EDAA06DBA907FDAE3FD5AE

[ n00b Post ] How to check if you have the MS-017-010 Windows Security Update installed

There are so many blogs out there that encourage users to update their Windows OS in particular MS17-010 to protect them from falling victims to WannaCrypt.

But as a normal home user, how do they know whether their machine already have the latest security update and protected from this?

I’ll write in details on how normal home users can check whether they systems are updated or not.

  1. The number in the security update file is usually tied up with the KB (Knowledge Base) number. We can find the official Security Bulletin here: “Microsoft Security Bulletin MS17-010 – Criticalhttps://technet.microsoft.com/library/security/MS17-010 

    Figure 1:
     Screenshot of KB numbers

  2. The numbers in the brackets are the KB numbers. Now that we know the security update file that we should install.  Let’s check for the security updates that we have installed on our Windows machines.  We can use one of the built-in tool by Microsoft to do just that.
    Figure 2:  systeminfo command

    Once we do that, you should see something like the image below:

    Figure 3: Screenshot of returned output from systeminfo

  3. As you can see, my VM didn’t have the latest Security Update.  Windows 7 require “4012212” or “4012215” depending your Windows 7 version.
  4. By clicking on the earlier mentioned link, https://technet.microsoft.com/library/security/MS17-010We can click on the relevant Security Update file that we should install.
  5. In my case, the link that I should click on is : http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012212I should see the following image:

    Figure 4: Downloading of Security Update file

I hope this is a simple to understand guide for home users.
I promised that i would write technical blog posts again. 😀

Best Regards
Jacob Soo

[ Technical Teardown : “Your 2016 Tax Report From IRAS”. In Word 2003 XML Document (.xml)? ]

Several days ago, i saw this “Old Technique” being used again. But i wasn’t interested with it until today when i saw that it’s trying to spoof as Inland Revenue Authority of Singapore (IRAS)

So what is this “Old Technique” that i’m talking about.  It’s basically using the good old “Word 2003 XML Document” trick.  But i’ll walk you through the entire process

[ Sample used in the analysis ]
MD5: 25abc03eb402c1b6b99543cca626c78d
SHA256: 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the email file 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious email with Visual Studio Code.

As we can see from the above image, the attacker seems to be  sending this spoofed email as  if they are from IRAS and we can find out several things from the email headers


  • Date: Wed, 26 Apr 2017 06:51:42 +0800
  • From (possibly spoofed): “Inland Revenue Authority of Singapore “<tax_no_reply-no@iras.gov.sg>
  • Subject: [IRAS: IMMEDIATE ATTENTION] Your 2016 Tax Report!!!
  • Message-ID: <77724133945041300816867@WIN-2TAK14O2BL3>

However, if we analyse it properly, we know that the attacker probably sent this from this IP address :

Received: from 62-210-139-92.rev.poneytelecom.eu
(62-210-139-92.rev.poneytelecom.eu [])

Based on the above image, we can see the contents of that email message that it’s trying to do social engineering on the victims and asking the victims to open the “doc” file



[ Part 2 : Email attachment ]

Now let’s try to look at the attachment and we can see this.  No worries, let’s Base64 decode it.

What is interesting after Base64 decoding it, i don’t see a .doc file.  Rather, what we could see is an XML file as shown here.


When you open a Microsoft Office Word 2010 XML document, Microsoft Office Word 2007 XML document, or a Microsoft Office Word 2003 XML document, your Microsoft Internet Explorer will not display the document by using the default Internet Explorer. Instead, if you had Microsoft Office installed.  Microsoft Word will open the XML document instead.  Why is this so?

Let’s take a look at the image above.  Starting from Word 2003, Word documents are built using XML in what Microsoft calls the WordprocessingML. Basically Windows will detect this XML (because of the mso-application declaration) and will launch Word if you double-click it.  Microsoft got a good Overview of WordProcessingML here.

But let’s inspect this XML file first.