Customer is from govt. sector responsible for carrying out few sensitive tasks which makes them an obvious and prime target for cyber attacks. Recently, few prominent email accounts belonging to customer received a suspicious email with a word attachment from an already compromised account within organization. Torrid was asked to perform analysis of the word document, deduce the impact of this attack, trace the origin and provide remedy.

During the analysis, it was observed in the first step that word document carries a malware payload and exploits existing vulnerability in Microsoft Word. Malware executable was packed using NsPack and was undetectable to number of antivirus software. After thorough dynamic and static analysis, a detailed report was submitted to the customer to help them understand the impact of the attack alongwith remedy towards the same. Below is the detailed report alongwith the malware payload and decompiled binaries in C and assembly language.

Note: Malware binaries have been compressed with a password “malware” without quotes. Execute it ONLY on virtual machine or Lab. PC as your machine will be compromised if you execute the binary directly on your machine.