{
	"id": "6e1812bd-9d6b-4028-92e6-44bac7dfec34",
	"created_at": "2026-04-06T00:10:50.457268Z",
	"updated_at": "2026-04-10T03:21:00.485298Z",
	"deleted_at": null,
	"sha1_hash": "1542c727c0110e52801242af775e2241f9389e14",
	"title": "[QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1014749,
	"plain_text": "[QuickNote] Analysis of malware suspected to be an APT attack\r\ntargeting Vietnam\r\nPublished: 2022-01-25 · Archived: 2026-04-05 14:14:54 UTC\r\nRecently, on the twitter of Shadow Chaser Group, they tweet information about malware sample that targeting\r\nVietnam.\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 1 of 9\n\nSample info:\r\nSHA-256: 341dee709285286bc5ba94d14d1bce8a6416cb93a054bd183b501552a17ef314\r\nITW: Bien ban thong nhat ke hoach dao tao_VPB.Voffice.docx\r\nSubmitted from VN: 2022-01-24 02:52:14 UTC\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 2 of 9\n\nCause this sample related to Vietnam, so I decided to taking time to perform a quick analysis of this malicious\r\ndocument. A quick check of this document shows that it uses the Template Injection technique. The advantage of\r\nthis technique is that when the user open the file, it will automatically download the  fav.icofile from the\r\naddress hxxp://office[.]oiqezet[.]com/portals/office/fav.ico .\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 3 of 9\n\nIn addition, based on the \u003cAppVersion\u003e tag information, it is possible to know that the attacker created this\r\ndocument from Office 2010 :\r\nAt the time of analysis, I could still download the fav.ico (MD5: 9521e4138fd0e6996072778cd4f1f06a) file:\r\nThe downloaded fav.ico file is not a PE file, it is an RTF file :\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 4 of 9\n\nChecking it with the rtfobj tool, the results show that this RTF file has an embedded object named qax23.xp ,\r\nwith size: 167831 bytes, and has MD5 = ‘ 935553d110e5ded158006d0679226641 ‘.\r\nThis technique reminds me some of samples that I’ve analyzed before: [1] , [2], [3], [4]. Thanks to nao_sec for\r\nupdating the rr_decoder tool to decode the encrypted object.\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 5 of 9\n\nAfter dumping the object and then use rr_decoder , I got the Dll file with the original name Download.dll.\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 6 of 9\n\nHere is the result when I upload this Dll to tria.ge site: https://tria.ge/220124-k8nknsdhf8/behavioral1\r\nAs shown in the figure, the malware after executing will send encrypted data to the address\r\nhttp://office[.]oiqezet[.]com/portals/office/log.php? , whereby the IP address of remote address is from\r\nVietnam. To be able to decode the above data, I quickly reversed code of the Dll file.\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 7 of 9\n\nThe code of this Dll shows that it will collect and aggregate information about the victim’s computer, including:\r\nHost Name, OS Name, OS Version, System type, Architecture, User Name, InternetInformation, Antivirus\r\nproduct .\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 8 of 9\n\nAll collected information will be encrypted with the RC4 algorithm, with the encryption/decryption key is\r\n\"123abc\" , then this encrypted data will continue to be encoded by the Base64 algorithm before being sent to C2\r\nas picture above.\r\nBased on the analysis results, by using CyberChef, I can decrypt the encrypted data when sent to C2 as follows:\r\nEnd.\r\nRegards,\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nhttps://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/\r\nPage 9 of 9\n\n https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/     \nAfter dumping the object and then use rr_decoder , I got the Dll file with the original name Download.dll.\n   Page 6 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/"
	],
	"report_names": [
		"quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434250,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1542c727c0110e52801242af775e2241f9389e14.pdf",
		"text": "https://archive.orkl.eu/1542c727c0110e52801242af775e2241f9389e14.txt",
		"img": "https://archive.orkl.eu/1542c727c0110e52801242af775e2241f9389e14.jpg"
	}
}