Malware Analysis Report for a targeted attack via word document carried out against few sensitive email accounts belonging to elite customer of Torrid

Torrid Networks Trained 25 professionals from Govt. and PSUs at CERT-IN
February 26, 2010
Torrid Networks participated at Amity University as Jury Member
August 27, 2010

Customer is from govt. sector responsible for carrying out few sensitive tasks which makes them an obvious and prime target for cyber attacks. Recently, few prominent email accounts belonging to customer received a suspicious email with a word attachment from an already compromised account within organization. Torrid was asked to perform analysis of the word document, deduce the impact of this attack, trace the origin and provide remedy.

During the analysis, it was observed in the first step that word document carries a malware payload and exploits existing vulnerability in Microsoft Word. Malware executable was packed using NsPack and was undetectable to number of antivirus software. After thorough dynamic and static analysis, a detailed report was submitted to the customer to help them understand the impact of the attack alongwith remedy towards the same. Below is the detailed report alongwith the malware payload and decompiled binaries in C and assembly language.

Note: Malware binaries have been compressed with a password “malware” without quotes. Execute it ONLY on virtual machine or Lab. PC as your machine will be compromised if you execute the binary directly on your machine.