Green Stone

Green Stone logo

A few days ago we discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran  «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company.

Since this family of malicious documents containing executable files was not previously known, we named it the Green Stone.

Image 1: Visual Lure
TypeOffice Open XML document 

This sample had a very shallow detection on the VirusTotal service.

Image 2: VirusTotal Detection

Based on the indicators of infection found in this sample, we were able to find additional samples within InQuest Labs. We assume that these documents were sent to Iranian companies between 20-21, July 2022.

Upon deeper analysis, we will find an executable that is encoded in base-64 plus a reverse function. When analyzing the macro, we will see functions that unpack the executable file (nvidiax.exe) into a temporary directory and then run it.  

Figure 4: Executable
Figure 5: Logic to Extract the executable
Typex86 exe file Visual Basic

The executable contains many spying features. To hide its presence in the system, it copies itself to a certain directory.

Figure 6: Registry Access

The program gains access to certain sections of the registry. Opens the following registry key to retrieve recently visited Internet resources.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs\

The program also checks whether the system is connected to the Internet.  Calling ping.exe on the page.


ping -n 1

The program also collects information about the system, takes a screenshot of the screen and sends all the information to a remote server.

But to exchange commands with an attacker, the program uses a telegram bot. This is not a common practice, however, it is found in malware to specifically hide the C2 server. 

Figure 7: Supported Commands

Here are the commands that are supported by the application and can be received from the telegram bot.


Typically, the cyberspace of this region is dominated by able-bodied groups. It is also quite common for apt groups to embed executable files in the body of a malicious document, thus avoiding unnecessary connections to a remote server to download the payload. We have these signs in these samples of malicious documents presented in this review. On the other hand, there is a lot of information in the code of the executable file that the developers should have removed and which can be used as an attribution step.

Deep File Inspection provide an opportunity to empower your operations and overcome the limitations inherent with other malware prevention solutions. To illuminate the security gap your organization faces, InQuest has developed the Email Security Assessment to test the efficacy of typical mail providers’ security controls.





Debugging strings


Free On-Demand Webinar: Think Before You Click

Whether sent as an email attachment, sitting in your cloud or traversing the Web, file-borne threats have become a proven favorite for delivering malware and phishing campaigns. View our webinar on-demand and get firsthand tips about how to safeguard your cybersecurity stack with File Detection and Response (FDR) and stop file-borne threats in their tracks.

View the Webinar On-Demand