Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: CRA Maldoc Analysis SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CRA Maldoc Analysis

I took a look at Guy's diary entry from yesterday. This malicious document contains macros that launch a PowerShell command.

Like it is often the case with such documents, the PowerShell command will download and execute an executable: MD5 e2d5d1bf5d69a942d99c8ea45fe28ac2.

The PowerShell command is encoded and stored in Form1 objects:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

479 Posts
ISC Handler
Feb 26th 2017

Sign Up for Free or Log In to start participating in the conversation!