On the most recent phishing attacks, PowerShell is usually employed to load and execute position-independant shellcode via a macro-enabled Office document. So, in order to know what actions are being carried away the truly interesting part here is the shellcode being executed. However, to slow down analysis or lower detection,

Read More

Previous analysis: Palo Alto's Analysis Minerva's Analysis We are presented with a Word document that has macros. The VBA code for the macros is obfuscated but we can clearly see that it is using some interesting Win32 API calls like VirtualAlloc and CallWindowProc, which later renames. Thus, we can just

Read More