Forensic
Thursday 1 June 2023, 17:05 #1
Forensic - Malicious Word macro
Hello,
I found the word file in the dump : V***_****.***m.
After analyze it. I use tool like oletools and manually look in the vbaProject.bin.
I only found one url wich is the proxy i guess : http://***.***.*.**:****/B*****.***x
Nothing link with the domain for the validation password.
I miss something ? Any hint ?
Thanks.
Sunday 10 September 2023, 11:26 #2
Forensic - Malicious Word macro
I try a new approach.
I dump the infected process plus check Iexplorer history.
I found several domains like microsoft, linkedin and facebook.
The most occurence are msn and akamaized : Often link together.
But seems not to be the valid flag.
Thanks you for your help.