Ricardo Filho
4 min readApr 18, 2023

The file presented in this brief analysis was detected during a recent phishing campaign across Europe. On this occasion, the email contained a .zip file, which in turn contained a .doc file. The attack utilized the ZIP bombing technique, which involves compressing an excessively large .doc file into a significantly smaller archive file.

The archive was opened in a secure environment for malware analysis, and it was immediately noted that the .doc file contained within was unusually large, exceeding 520 MB. Further examination of the file revealed a large “NULL” section at the end, which is a common tactic used by attackers to evade sandbox analysis. Many EDRs include sandbox analysis in their protection measures, but most cannot analyze files larger than 500 MB.

The large size of a Microsoft Office file can sometimes signal the existence of potentially malicious “macros”. Macros are automation tools based on code that can be embedded in any Microsoft Office file, and attackers often use them to deliver their malicious code to unsuspecting victims’ machines.

The analysis showed that the document contains macros.

When opening the document with Microsoft Word, the user gets prompted to “Enable Content”.

In order to perform the file analysis, code execution was enabled. Immediately, the system started to download a DLL file.

At the conclusion of the malware behavior analysis, multiple IOCs were generated and can be found listed at the end of this article for reference.

The malware wrote a DLL on the system without requiring any additional action from the user. It ensured persistence on the victim’s host by modifying the “Autostart” MS Office registry key.

The following URL was used to download the malicious DLL:

hxxp[://]ly[.]bi3x[.]org/magazini/pWKy5V5/?213950&c=1

During this stage, the malware attempted to connect with various domains until the malicious DLL was successfully downloaded.

After completing the initial phase, the malware proceeds to the second stage, which involves running an instance of “regsvr32” and establishing contact with a Command-and-Control (C2) server at 91[.]121[.]146[.]47.

The C2 server issues instructions to the malware on the infected machine to gather system and network information, which is then transmitted back to the server. During this process, the malware creates two temporary files to store the collected data.

C:\Users\USER\AppData\Local\Temp\213950.tmp

C:\Windows\system32\FDYgTjrgYvBPlSA\GgmKPTkkZOb.dll

The malware was observed contacting multiple C2 servers within a short period of time after becoming infected. It is presumed that the malware shared the system and network information that it had previously collected with these servers. Despite killing the process, the system persisted in establishing connections with those servers. Furthermore, it started connecting to several IP addresses on 8080 TCP port. The C2 servers are associated with a Emotet variant in the cybersecurity community.

Emotet has gained notoriety as one of the most sophisticated and lucrative malware strains affecting users worldwide in recent times. Its ability to download and install additional malware on compromised machines has elevated it to a significant threat for both individuals and organizations.

The most effective response to this kind of attack is not to open the attachment. User training and awareness play an important role here. This analysis has made it evident that the simple action the malware requested from the user was to open the file and enable the embedded code’s execution. After the user enabled its execution, the malware operated entirely in the background, undetected by the user.

For comprehensive protection against these events, it’s recommended to deploy an EDR (endpoint detection and response) solution on each device.

MITRE ATT&CK

Indicators Of Compromise

File Name: ZIP file

Size: 699 KB

SHA-256: e3022f6351f14f918391ca9384925318fc863eea17044ac0904cfbc689e0616c

File Name: 08032023.doc

Size: 538 MB

SHA-256: eaf050eabdfffde46a85a1651438dbbae8a3e048090c80f231efddef019895a0

File Name: GgmKPTkkZOb.dll

Size: 527 MB

SHA-256: a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2

hxxp[://]ly[.]bi3x[.]org/magazini/pWKy5V5/?213950&c=1

hxxps[://]aniart[.]com[.]ua/magazini/pWKy5V5/?213950&c=1

hxxps[://]www[.]aniart[.]com[.]ua/magazini/pWKy5V5/?213950&c=1

hxxps[://]moiki[.]online/speedsale/XJdpbjT/?213956&c=1

hxxps[://]ns1[.]koleso[.]tc/b512c9bf0b/RnLGmaMVRRbyeY3nZb/?213956&c=1

164.68.99.3:8080

164.90.222.65:443

186.194.240.217:443

1.234.2.232:8080

103.75.201.2:443

187.63.160.88:80

147.139.166.154:8080

91.207.28.33:8080

5.135.159.50:443

153.92.5.27:8080

213.239.212.5:443

103.43.75.120:443

159.65.88.10:8080

167.172.253.162:8080

153.126.146.25:7080

119.59.103.152:8080

107.170.39.149:8080

183.111.227.137:8080

159.89.202.34:443

110.232.117.186:8080

129.232.188.93:443

172.105.226.75:8080

197.242.150.244:8080

188.44.20.25:443

66.228.32.31:7080

91.121.146.47:8080

202.129.205.3:8080

45.176.232.124:443

160.16.142.56:8080

94.23.45.86:4143

95.217.221.146:8080

72.15.201.15:8080

167.172.199.165:8080

115.68.227.76:8080

139.59.126.41:443

185.4.135.165:8080

79.137.35.198:8080

206.189.28.199:8080

163.44.196.120:8080

201.94.166.162:443

104.168.155.143:8080

173.212.193.249:8080

45.235.8.30:8080

169.57.156.166:8080

149.56.131.28:8080

182.162.143.56:443

103.132.242.26:8080

82.223.21.224:8080

Ricardo Filho

Opinions, typos, and bad grammar do not represent my employer