Malware Traffic Analysis 6

c42-MTA6-1022-UTC: What is the attachment file name?

c42-MTA6-1022-UTC: The attachment contains malware. When was the malware first submitted to virustotal?

Checking the Hash on Virustotal:


c42-MTA6-1022-UTC: The malware was communicating with multiple external servers. Provide the number of unique URLs contacted by the malware? (VirusTotal graph is your friend).


c42-MTA6-1022-UTC: Provide the FQDN contacted by the malware?

c42-MTA6-1422-UTC: What was the malicious document’s creation time? (one space between date and time).

Since Windows has no build-in file tool, we can check the signature online:

Seems to be a Word document.

2015-06-24 11:31:00

c42-MTA6-1422-UTC: Which stream contains the macro? (provide stream number).

How oledump works:


c42-MTA6-1422-UTC: What is the technique used to hide the actual VBA code? (two words with one space in between).

VBA Stomping

c42-MTA6-1422-UTC: What is the sha256 hash of the executable malware?

To dump and decompres the stream containing the macro:

python.exe "" -s 3 -v c42-MTA6-1422-UTC.extract.file.doc

Gonna go the easy way here and execute in a Sandbox. (vmonkey did not produce any good results)


c42-MTA6-1557-UTC: What is the full URL of the fake login page?


c42-MTA6-1839-UTC: How many domains are present in the JS file?

Obfuscated js:


Tool used to deobfuscate JavaScript:

c42-MTA6-1839-UTC: The JS code is checking for a specific HTTP response code. What is the response code being checked?


The victim received multiple emails and opened only one of them. Which one did he open? (provide the full eml file name).

What is the victim machine hostname?


What is the name of the exploit kit used to deliver the malware? (one word).


Which IP address served the exploit? []

What is the FQDN of the compromised website that redirected the victim to the attacker’s server hosting the Exploit Kit?