Skip to main content


Showing posts from December, 2014

Merry Christmas From Malware Tracker or "Christmas Card For You.doc"

Merry Christmas and happy holidays from all of us.

And your obligatory MS12-060 malware Christmas Card:

Christmas Card For You.doc
Dropper imphash: 18ddf28a71089acdbab5038f58044c0a
C2 IP:
Possibly related domains: (resolves to same IP

rule malware_kis
date = "December 22, 2014"
desc = "Christmas Card for you malware"
ref = ""
MD5 = "0dbe90b1dca29e2daf28ff789b3d43d3"
author = "@mwtracker"
$s1 = "\\kis(by XC)\\MYDLL\\Release\\MYDLL.pdb"

all of them

You can view our automated Cryptam report on this sample as well as the extracted dropper's strings in Cryptam.

CVE-2014-4114/CVE-2014-6352 Evade AV by removing read access in zip structure

We recently came across a CVE-2014-4114/CVE-2014-6352 sample (MD5 c69978405ecbb4c5691325ccda6bc1c0) which used the Zip directory structure of OpenXML ppsx files to assign no access permissions to the exploit. This may allow the malware to slip by some automated analysis systems while still allowing the exploit to function properly in MS Office Powerpoint which ignores the Zip format access permissions. This Powerpoint exploit is usually delivered by email and has been used by both espionage and criminal groups.

An early version of the exploit with normal file access permissions:

The new c69978405ecbb4c5691325ccda6bc1c0 with no user read permissions:

This modification to file permissions does appear to offer lower detection rates when comparing to another recent version of a similar exploit.

VT Detection rate of 23/56 for the version with read access:

And VT results of only 13/56 for the version with no read access to the exploit. Most of the major AV engines do not detect the exploit: