Analyzing Iranian document [ 1st Stage ] as a practice
Hello all, Finally I came back after months and I hope won't leave that field again. Let's analyze the malicious document. First: It's not a legitimate article so I hope it'll be well. suppose you've got an email with a document and we want to make sure it's not malicious so what's the 1st step we will do? We will analyze it by OfficeMalScanner tool cos I love it or any analyzing tool you prefer. so let's start. As you can , we use info parameter to the OfficeMalScanner tool to extract the MACRO code if it exists. And the BIN code in the last of figure, let's open it by NOTEPAD++ It's a Visual Basic code, you can chose it from Language bar to make it clear. As you can see it declaring variables we can skip that part to find the important part. Here is the most important part in that code, as you can see it's a base64encoding and we can decode it by any online tool or offline as you prefer. So The attacker use that command: powershell....