Bubar Parlimen [Malware Analysis]
A bubarparlimen.docx file with an external RemoteLoad.dotm attached template file where it contains malicious VBA Macro which will write PE files, fetch .exe + .dll file and executing it in the infected machine. The macro uses base64 encoding method and constructing the encoded string little by little to avoid suspicion. 2. Case Details File Name bubarparlimen.docx File Size 214.91 KiB File Type Microsoft Office Word(15.0000) MD5 afbe00e755a2cf963f0eedbb4e310198 SHA1 a55bd3f15ce743c9cda7bec05afe50b9aefa4683 SHA256 ab541df861c6045a17006969dac074a7d300c0a8edd0a5815c8b871b62ecdda7 Created Time 15/5/2024 11:47:03 PM File Name RemoteLoad.dotm File Size 23.76 KiB File Type Microsoft Office Word(15.0000) MD5 8114e5e15d4086843cf33e3fca7c945b SHA1 5f7f0b1419448c5fe1a8051ac8cb2cf7b95a3ffa SHA256 145daf50aefb7beec32556fd011e10c9eaa71e356649edfce4404409c1e8fa30 Created Time 15/5/2024 11:52:02 PM 3. Case Specific Requirements Machine Windows Environment Tools hashmyfiles olevba Microsoft Word CyberChef 4. Static Analysis 4.1 bubarparlimen.docx bubarparlimen.docx is a .docx. To go further into the analysis, it is necessary to understand what .docx structure is. ...