“ SOC114 — Malicious Attachment Detected — Phishing Alert ” investigation

6 min readNov 28, 2022

Hello, today I will write about investigation of “SOC114 — Malicious Attachment Detected — Phishing Alert” alarm from letdefend.io.

The alert is appears in our investigation channel. After that, we proceed to build the case.

Let’s start the playbook.

The first step is to ‘Parse Email’ and gather information about the incoming email. The alert itself contains the majority of the information:

§ The alarm was triggered as high severity at 15:48(3.48 p.m.) on 31 June 2021.

§ The SMTP IP address of the user who sent the mail is seen as “49.234.43.39”.

§ The e-mail that caused the alarm was sent from “accounting@cmail.carleton.ca” to “richard@letsdefend.io” with “Invoice” subject information.

§ As the device action shows as “Allowed”, we can understand that the mail has reached the user.

As far as we understand from the content of the alarm, we understand that an e-mail with a malicious file attachment has reached the inside user. Therefore, it is necessary to take action by examining the relevant e-mail urgently.

First, i’m querying the “@cmail.carleton.ca” domain to check if the sender is spoofing.

We will also search for SMTP Address(49.234.43.39) from alert in Virustotal:

We found something interesting that SMTP Address belongs to Shenzhen, China. And Fortinet flagged this IP address as malicious.

I see that the SMTP IP address is different from the SMTP IP address of the sender and I understand that spoofing is applied. So I will not block the sender address and domain.

Then, from the Mailbox area, we find the relevant e-mail and download the attachment to see.

There is one zipped file, c9ad9506bcccfaa987ff9fc11b91698d.zip in the attachment.

I’ve download attached zip file and perform online analysis using AnyRun and VirusTotal.

AnyRun results:

We send the attachment found as .zip to anyrun.

We can see that .zip file contains an .xlsx file. The file password is “infected”.

When we opened the malicious excel file in the sandbox environment, it opened up a child process of the excel process, EQNEDT32.exe, the Microsoft Equation Editor tool which allows users to embed math equations into Office documents.

From the EQNEDT32.exe process, another child process opens up ntvdm.exe which is also known as a Virtual DOS Machine environment.

As seen, after loading an excel file into Microsoft Excel, the user was prompted to enable content, but point 1 of the prompt informed him that previewing protected documents is not feasible. These kinds of massages, in my opinion, are frequently used to trick users into performing out desired actions.

Here, we can observe that another exe file was launched following the execution of MS Excel. Definitely not what a legitimate Excel file would do. These files are automatically identified by AnyRun as being 100% malicious.

We can see that it is a malware with the exploit record “CVE-2017–11882”.

As CVE-2017–11882 explains, the ntvdm.exe opens up a shell for potential remote code execution.

In addition, we can see all the connection addresses from the IOC section.

VirusTotal results:

As we know we can again see that it is a malware with the exploit record “cve-2017–11882”.

The list of domains and their IP addresses can be found below from Virustotal. Therefore, we want to see if our user had any connections to these domains and IP addresses. So, we are prompted to scan the Log Management to see if anyone has opened the infected file.

Thus. only andaluciabeach.net and 5.135.143.133 found in Log Management.

Or we can simply search for andaluciabeach.net/image/network.exe :

So, we can see that there is a traffic from the user with the “172.16.17.45” IP address to the url address with the malicious exe and it is successful.

When we search for the “172.16.17.45” IP address from the Endpoint Security section, we can see the “RichardPRD” server belonging to the “richard” user, to which the mail was sent.

We will go to details:

Then, we see that under the browser history(after Jan. 31, 2021, 15:48), we go to the relevant malicious address.

From Network Connections we can see the request.

In Process History section we can see there is EQNEDT32.exe process and Juicy Potato which is used for privileges escalation process.

Since the user is running the malicious file attachment, we activate the REQUEST CONTAINMENT button to examine the relevant host.

After completing our review, we need to create a case on letsdefend.io and progress the relevant playbook.

First, an information page comes up explaining what we need to examine, and when we pass it, we are greeted by a step asking whether there is a file and url in the e-mail we examined.

Then, when the relevant URL/FILE is examined with 3.rd party sandbox software, it asks if it is harmful. When we examined the excel file in the mail, we saw that it was harmful and I continue with the Malicious option.

In the next step, it asks whether the relevant e-mail has reached the user. I am progressing as Delivired because of the “Device Action:Allowed” section in the alarm title.

In the next stage, a page stating that the relevant mail should be deleted welcomes us and I proceed with the delete button.

The next consideration is if someone has actually opened the relevant URL/FILE. I continue as Opened because the user “richard” opened our malicious excel file.