Analyzing sample 27ee7cedb421c1d749040a03cf9e0c02

For staying under the radar, this sample contained a variety of evasion techniques.

Analyze macro-less document

27ee7cedb421c1d749040a03cf9e0c02 is a Microsoft Word document. It abused the DDE feature of Microsoft Office to launch the next stage of the attack.

As you can see, DDE allows the document to download and execute a malicious binary located on a remote server without requiring a macro to be executed.

Retrieving full DDE command:

Analyze MSI file

Using Winrar/ 7-Zip for opening MSI file and extracting the binary file that packed within the MSI:

Quick check the extracted file by using PEStudio / ExeInfo PE:

Extracting and Analyzing AutoIT script

Using Exe2Aut to decompile the executable. The decompiled script is obfuscated:

Using AutoIT to create malware is not new, in Viet Nam this particular malware has been around since 2006. AutoIt can be used as keylogger, downloader, reconnaissance phase during an infection of the victim computer.

Back to our script, notice the de-obfuscate function:

One of the functions that contain a long obfuscated string:

Try to reuse the malware code to get the final payload:

The console output as the picture bellow (the first couple of bytes 4D 5A which are the ASCII string MZ –  the magic string in the beginning of PE file)

Analyzing the new payload

The payload that dumped by the above script is packed by UPX:

Use CFF Explorer for unpacking:

Quick analyze the unpacked payload

Monitoring the malware’s network activity:


By 4pt@0r_NoT

Tks to {REA-TEAM}

Written by 

Leave a Reply