Category Archives: analysis

Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below: – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs on OpenXML Doc Info.

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

  • zipdump
  • re-search
  • reextra
  • Download the Python scripts mentioned above in one place. Then, executed this command below:

    Command above will search the content of the zip file & extract/applied regex searching for URLs.
    As you can see below, these is all the URLs that contained in the Word doc:

    Analyzing Oracle WebLogic attack

    Recently we received an alert from our WAF related to an attack towards out environment.
    Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

    We observed that the attacker included some sort of PowerShell command in their request:

    Seems like the PowerShell command is using Base64 encoding for obfuscation.
    I use to decode the Base64:

    Seems like it tried to fetch DL.php file at
    Lets try grab that file:

    Hmm.. Error 404..? Is it true error?
    Or did we missing something here?

    Lets analyze the command carefully:

    We can see the attacker is assigning/using specific User-Agent when fetching the file.
    That’s why when we try to wget/curl the file directly, it failed.

    So what we have to do is we set the User-Agent exactly same when fetching the file.
    In this case, I’m using curl to fetch the file:

    Now see? Previously if the fetch the file without the User-Agent, it will failed/error 404.
    Again, we see another set off Base64 encoding here.

    But what is it?
    I’m not an expert to explain this, but TL;DR, it convert Base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

    So, to see what happen if this command executes, we can use this Python script below to decode it.
    With this script, we can basically see what are those Base64 are doing.

    Take the Base64 at above, paste it at encoded parameters as example below:

    Save the script and run the Python script as command below:

    This will save all the output from your CMD to text file for easier to ready.
    P/S : Your can rename output_DL_php.txt to any filename that you want.

    Let’s see whats inside the text file:

    As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
    Hope you enjoy reading this.



    Wargames 2017 – Challenge 9 : unreachable

    the question is:

    question for challenge 2

    question for challenge 2

    and the hint given to us:

    hint for challenge 2

    hint for challenge 2

    so… RFC 792 – something related to ICMP/ping yada yada
    so we open the pcap file in Wireshark, view only ICMP protocol:

    open pcap using wireshark & then filter ICMP only

    we can see ICMP traffic involving 2 IPs; &
    after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP

    lets use tshark to see it clearly:

    use tshark & grep offset 0010

    as noted in the hint above;
    “he is tracing backwardly.”

    the flag is: flag_is_p!ngp0ng~
    but actually…. the flag is: p!ngp0ng~

    Shell hiding in image files

    One day, we noticed strange GET request towards our JBoss server:

    From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

    The request tried to execute command below:

    “-O” : writes the documents to file.
    “-” : if is used as file, documents will be printed to standard output, disabling link conversion.
    “-q” : quiet (no output)

    As you see, it tried to fetch image (jpeg file) from Seems normal right?
    We fetch the file & take a look at the jpg file:

    ASCII?? Not JPEG?? hmm..
    Here’s whats inside the “logo.jpg” file:

    We noticed there are several other file fetched; possibly a config file & bin file.
    Let’s fetch those file!

    Here is the config file:

    Not sure it is. Maybe bin file to run a process:

    Lets see if the file is packed:

    Yup. So lets unpacked the file using UPX:

    Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
    Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

    Here the MD5 for file above:

    Dionaea simple analysis

    Dionaea exploit analysis

    For this analysis, we’ll using python3 that bundled with Dionaea:

    Running command above will open a python console. Enter the code below line by line:

    It will produce test.bin file in /tmp/ folder.

    Now we analyze it and dump the output to another file:

    You should see something like this:

    As you can see, the malicious URL is hxxp://

    Reference :