Malware Analysis of Kimsuky's Attacks - docx
Contents
Malware Analysis of Kimsuky's Attacks - docx
Latest Research|January 14, 2025
docx is a common document processing format for windows, the malicious docx sample firstly downloads the malicious dotm through the external url of the document, and then executes the dll file export function to download the core dll for information return, the whole flowchart is shown below:
The zip archive is embedded with the name ì¬ë´ ê¸ìµì 무 ìì¸ë´ì.docx and when clicking on the document, the following will be displayed to the user with an external url: http://ms-work.com-info.store/dms/0203.dotm download dotm file in the background.
When the download is successful the original dotm template document will be run and the macro for that document will be started automatically, then the data will be extracted and decrypted to a file in the current directory of the file type dll, and eventually the macro will call the export function of that dll file.
Decrypting relevant malicious PE …
Latest Research|January 14, 2025
docx is a common document processing format for windows, the malicious docx sample firstly downloads the malicious dotm through the external url of the document, and then executes the dll file export function to download the core dll for information return, the whole flowchart is shown below:
The zip archive is embedded with the name ì¬ë´ ê¸ìµì 무 ìì¸ë´ì.docx and when clicking on the document, the following will be displayed to the user with an external url: http://ms-work.com-info.store/dms/0203.dotm download dotm file in the background.
When the download is successful the original dotm template document will be run and the macro for that document will be started automatically, then the data will be extracted and decrypted to a file in the current directory of the file type dll, and eventually the macro will call the export function of that dll file.
Decrypting relevant malicious PE …
IoC
http://ms-work.com-info.store/dms/0203.dotm