About 2 days ago, we caught an interesting sample which hides its downloader script in the info of document.
Let’ s open it with UltraEdit.
If you are using the latest version of UltraEdit, you can simply format the XML script for a much more clear look.
This script will download and run a specific powershell script from “HtTP://2584763830:8002/doc/pause.ps1″[I can’t access this URL when I caught this sample]
But what does “2584763830” mean? Well, it’ s just another presentation of IP address, it converts dot-split IP address into a long integer, after converted, it’ s “18.104.22.168”.
In this URL, we can find the hacker uses uncommon IP format & case-insensitive feature to avoid detection.