John B. Baird


Computer Forensic Portfolio

Bradenton, FL

Open to relocation


johnbairdpc at gmail dot com


Malware Analysis of Keylogger




John Baird PC













Case Overview


Malware forensic examination for [REDACTED] of a malware sample “housingagr.docx”.


This case started because malware is suspected to be infecting operating systems similar to the one used during this malware forensic examination.


Chain of Custody


I have taken possession of the malware sample.


Malware identification


On 12/7/2017, I ran an SHA-1 hash computation of the sample “housingagr.docx”. The SHA-1 hash is “[REDACTED]”. (Figure 1.1) A hash value is a mathematical formula used for uniquely identifying files.


I then searched the SHA-1 hash value on F-Secure identifies the malware as “Exploit.RTF-ObfsStrm.Gen”.




Figure 1.1 showing hash value




The sample was named “housingagr.docx”. The file size is 1.09 MB. The file was last modified on 6/30/2016 at 10:51 AM (timezone unknown).


Threat background


At 7:30 PM eastern, I searched the SHA-1 hash value on (VirusTotal, 2017) F-Secure identifies the malware as “Exploit.RTF-ObfsStrm.Gen”.


Because the file is masquerading as a normal Microsoft Word document, it appears the attack vector is as a trojan horse-style infection. A user would assume the file is a normal document and double click on it to open it. This means the malware could be transmitted via email, USB drive or as a file directly downloaded from web sites.


An indicator of compromise (IOC) would be the file “WINWORD.EXE” (PID 788, partner ID 2016) running on the system, including suspicious files added to the start menu.


Blocking files with matching hash values (signatures) is one method to prevent future attacks such as this one. Ad-Ware, Avast, BitDefender, F-Secure, McAfee and Symantec are all anti-virus solutions that correctly identified the signature of this malware.




The malware attempts to trick a user into thinking it is a normal Microsoft Word document. Once the user opens the file, the malware attempts to install the program “WINWORD.EXE” via an “OEL Objects” exploit in Word. The program is named “WINWORD.EXE” in an attempt to masquerade as the legitimate Word program.


The malware creates a registry key to allow “WINWORD.EXE” to automatically run when the computer is started. The malware runs silently on the system in an attempt to conceal its presence from the user.


The malware attempts to steal information from local internet browsers. The malware reaches out to a command and control server at IP “[IP 1]” at the domain of “[DOMAIN1]”. A command and control server is used to send and receive information from malware. The malware likely collects information gleamed from a user’s browser and internet activity and sends it to the malware creator for nefarious purposes. The communication appears to be done via “UPX” to the server “[DOMAIN 2]” via the program “csrsss.exe”.


The malware creates several registry keys that are needed for the malware to function. Some of the locations are in legitimate keys for Microsoft Word. Locations such as “HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency” and “HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Debug”. This appears to be an attempt to make it harder to manually identify which registry keys belong to the malware and which legitimately belong to Microsoft Word.


Other registry locations appear in registry keys intended for Microsoft Windows, such as “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Install 1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A”. This is also an attempt to make it harder to identify which registry keys belong to the malware.


As for the process tree, “WINWORD.EXE” has three child processes: “svchost.exe”, and two “cmd.exe” programs. The “svchost.exe” program is intended to mimic a natural program that runs in the background of Windows.


Other files were also associated with the malware, such as loading the dynamic link library (DLL) of “C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll”.


Some files were also deleted, such as the file “~$Normal.dotm”, “~WRS{8F9876E4-ACE8-4DFC-BCC1-98EEC45B9B96}.tmp ” and “~WRS{8452B5E1-EA1A-43D2-7A4B-85F174CBE496}.tmp ”.


Results / recommendation


The evidence suggests that this malware is using “OLE Objects” in order to exploit vulnerabilities in Microsoft Word in order to install malware. F-Secure identifies the malware as “Exploit.RTF-ObfsStrm.Gen”. This malware appears to be exploiting a vulnerability that is found in Microsoft Office to install a Python-based keylogger. The malware tries to observe the action the user takes online and report that activity to the malware’s command and control server.


My recommendation would be to use a program like F-Secure to try to remove the malware. However, many times malware infections like this are so severe that the best course of action is to backup the user’s personal files (insuring no malware is hiding within) and then reinstall the operating system and software or restore from a safe, known image.


Going forward, using the latest version of Microsoft Office (Word) and insuring Windows updates and Office updates are applied can help safe guard against these kind of attacks, including running security software such as F-Secure.



Back To Front Page