The annual FireEye Flare-On challenge is something I really look forward to, with great excitement and impatience. I strongly suggest to everyone to spend sometime on past challenges, as they are an excellent source of knowledge and a chance for skill development. From all Flare-On challenges I recall Flare-On 5 during 2018 which is considered the most difficult challenge, so difficult, that the organizers mentioned, that in the future the challenges will be easier. One such challenge was the leet_editr (challenge number 5) which became my nemesis as I was not able to complete the challenge and thus move forward.

The challenge

This week a captured AutoIT malware got our attention. It happened that we had some experience with AutoIT scripts, thanks to Fireeye Flare-On 7 (2020) challenge #6 (CodeIT), but never had the chance to analyze a real scenario.

In this small post, the process followed during the analysis, will be presented.

What is AutoIT?

Quoting AutoIT web site

AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g…

During October 2020, Greece was targeted by an Emotet malware campaign. A significant number of emails containing Emotet malware was received by almost every organization in Greece. Based on ESET’s report during October 2020, Greece was the country with the largest contribution in Emotet botnet by approximately 18%. What caught our attention, is the infection rate and the level of credibility the related Emotet phishing emails had.

Figure 1 — Countries most target by Emotet during October 2020

We considered it as a great opportunity to enhance our reverse engineering skills by trying to fully analyze Emotet but also identify the operational activities of this specific campaign. In this post we…

Two weeks ago a malicious MS Word document was blocked from a sandbox (SHA 256 - 1aca3bcf3f303624b8d7bcf7ba7ce284cf06b0ca304782180b6b9b973f4ffdd7). The sample looked interesting because by that time, VirusTotal had a limited detection rate. Both VirusTotal and Any.Run identified the sample as CVE-2017–11882, one of the infamous Equation Editor exploits. Let’s take a look.

Looking for an OLE

RTF is a quite complex structure by it self. On top of that, adversaries add additional obfuscation layers to prevent both analysts and various analysis tools to detect the malicious objects.

RTF Hide & Seek

Firing up oletools/rtfobj and Didier’s rtdump, looking for OLE objects did not result to anything useful.


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store