{
	"id": "b11bbfe4-65a8-4007-ad5c-c30da8fddf96",
	"created_at": "2026-04-29T10:18:51.872546Z",
	"updated_at": "2026-04-29T10:42:33.787787Z",
	"deleted_at": null,
	"sha1_hash": "49e8314cf2ce99cabf50545f50f505c0d119c155",
	"title": "Gholee – a “protective edge” themed spear phishing campaign – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49165,
	"plain_text": "Gholee – a “protective edge” themed spear phishing campaign –\r\nClearSky Cyber Security\r\nPublished: 2014-09-04 · Archived: 2026-04-29 09:32:31 UTC\r\nIntroduction\r\nDuring the 2014 Israel–Gaza conflict, dubbed by Israel as “operation protective edge”, a raise in cyber-attacks\r\nagainst Israeli targets was reported. In this report we analyze one case of an operation protective edge themed\r\nspear phishing attack. That email contained a malicious excel file, which once opened and its VBA code executed,\r\nwould infect the victim’s computer.\r\nAs for the publication of this report, the file is recognized as malicious by only one antivirus engine.\r\nBased on our analysis, we believe the threat actor behind this malware is a high level professional.\r\nOur investigation of the Gholee malware started following a detection of a suspicious file that was sent in an email\r\nto an undisclosed recipient. The file name was ‘Operation Protective Edge.xlsb’ (MD5:\r\nd0c3f4c9896d41a7c42737134ffb4c2e).\r\nThe file was uploaded to Virus Total the first time on 10 August 2014, from Israel. At that time it was not detected\r\nas malicious by any of the 52 tested antivirus engines. Nine days later, it was uploaded again to Virus total, again\r\nfrom Israel. This time it was detected as malicious only by Kaspersky, as Trojan-Dropper.MSExcel.Agent.ce.\r\nInfection\r\nUpon opening the file a message is displayed, saying:\r\n“Due to security considerations I consciously hid the Informations. It will be visible for you by enabling content\r\nabove.”\r\n2\r\nThis is a social engineering tactic meant to lure the victim into enabling Macro content. If enabled, the message\r\ndisappears, and the following information is presented to the victim (it is possible that the unreadable characters in\r\nthe screenshot below are the result of an encoding error in our lab environment, and that the victim would see\r\ndifferent, readable content).\r\nTechnical Analysis\r\nCode\r\nAnalysis of the Macro code reveals the following structure:\r\nhttps://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/\r\nPage 1 of 4\n\nIn order to avoid detection by protection measures such as computer antivirus and intrusion detection systems,\r\nASCII characters codes are used instead of actual characters. The ASCII codes are converted to strings as they are\r\nconcatenated into a single variable within a function\r\nTens of these functions then concatenated, creating a single PE file\r\n5\r\nFinally, the file is saved to NTUSER.data.{GUIDE}.dll (MD5: 48573a150562c57742230583456b4c02) and the\r\nfunction ShellExecte  is used to run it under cmd.exe /C and Rundll32  This is in order to hide the process.\r\nThe Dll file is obfuscated and includes various mechanism to hide from Debuggers such as Ollydbg and IDA and\r\nfrom Sandbox software such as Cuckoo and Anubis.\r\nAnalyzing the file, we have found an interesting entry point called gholee.\r\n6\r\nA quick Facebook search for that name and Iran discovered Gholee is a popular Iranian singer:\r\n1\r\nCommunication\r\nWhen run, the DLL file is communicating with a Kuwait based IP address: 83.170.33.60, owned by German\r\ncompany iABG Mbh, which provides satellite communication services.\r\n7\r\nThe malware opens an SSL connection over port 443 using a digital certificate that expired in 2010. The\r\ncertificate was issued for security company Core Security, the creators of the offensive suite Core Impact, for the\r\naddress *coreimpactagent.net.\r\nhttps://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/\r\nPage 2 of 4\n\n8\r\nIt was issued by Thawte certificate authority.\r\n9\r\nCertificate Fingerprint MD5: 9C 80 C2 47 40 6D 6C ED FC E0 08 AE EF D9 98 90\r\nUsing a proxy and SSL stripping, the following communication pattern over HTTP can be seen:\r\nGET                        /index.php?c=Ud7atknq\u0026r=17117d        HTTP/1.1\r\nPOST                     /index.php?c=Ud7atknq\u0026r=1710b2        HTTP/1.1\r\nRelated incidents\r\nSearching for specific strings from the malicious file, we found another file that we believe is related to this\r\ncampaign. The file name is “svchost 67.exe” (MD5: 916be1b609ed3dc80e5039a1d8102e82 ) and it was uploaded\r\nto Virus Total[5] on 2 June 2014, more than two months earlier than “Operation Protective Edge.xlsb”. It was\r\nuploaded twice from Latvia – potentially to test the malware’s detection rate.\r\n“svchost 67.exe” communicated with 83.170.33.37, which is on the same /26 netblock as the address “Operation\r\nProtective Edge.xlsb” is commutating with.\r\nDetection and prevention\r\nBy using GPO to disable macro code from running, infection by this malware may be avoided.\r\n Alternatively, files containing macro code should be blocked at the email gateway or by an anti-spam\r\nsolution.\r\nLogs and proxy servers should be checked for communication with the IP addresses with which the\r\nmalware communicates:\r\n83.170.33.60\r\n83.170.33.37\r\nhttps://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/\r\nPage 3 of 4\n\nIf you think you got infected, check in the system root folder for a file called NTUSER.DAT.{$GUID}.dll .\r\nfor example:\r\nNTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b**c}.dll\r\nThe following Yara rule may be used to detect the gholee malware:\r\nrule gholee\r\n{\r\nmeta:\r\nauthor = “www.clearskysec.com”\r\ndate = “2014/08”\r\nmaltype = “Remote Access Trojan”\r\nfiletype = “dll”\r\nstrings:\r\n$a = “sandbox_avg10_vc9_SP1_2011”\r\n$b = “gholee”\r\ncondition:\r\nall of them\r\n}\r\nSource: https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/\r\nhttps://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/"
	],
	"report_names": [
		"gholee-a-protective-edge-themed-spear-phishing-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1777457931,
	"ts_updated_at": 1777459353,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49e8314cf2ce99cabf50545f50f505c0d119c155.pdf",
		"text": "https://archive.orkl.eu/49e8314cf2ce99cabf50545f50f505c0d119c155.txt",
		"img": "https://archive.orkl.eu/49e8314cf2ce99cabf50545f50f505c0d119c155.jpg"
	}
}