Quick Analysis of A Customer Malspam Encounter

The InQuest platform is fully open in the sense that all analytical areas are extensible via customer defined intelligence which can include keywords, hashes, standard IOCs, and fully fledged YARA rules. This article covers the analysis of an interesting customer malspam encounter that was identified with a customer-defined YARA signature focusing on abnormally high levels of entropy within the semantic context of document files. This attack occurred at an undisclosed customer site and specifically targeted three different individuals across the organization. Before we dive into analysis, here are the details of the original file.


File name
File size

24.78 KB

The sample is made available on our github malware repository:


Entropy analysis is one of the methods that can be employed for detecting this campaign and is our primary focus. Many readers will already be familiar with file entropy but entropy is a concept with applications ranging from computer science to thermodynamics. Under our context (Shannon) entropy is a measure of randomness in information. Measuring entropy of code, for example, helps malware researchers determine if a sample of malware has been compressed or encrypted. The most common measure entropy is at the byte level, which results in a scale ranging from 0 to 8. The lower the entropy, the lower the chances are that the code has been obfuscated in any way. The higher the entropy, the greater the chances are that the content is compressed or encrypted. High 7’s are a good indicator that some compression or encryption is present in the underlying data.

In this case study, we’re not analyzing code entropy. Rather, we’re looking for anomalies in the entropy of semantic text (specifically the English language). Here is a glimpse of the user-defined rule courtesy of the analyst that wrote it for use in a [retrohunt]( operation. (Note: This rule is tuned for the English language and utilizes InQuest Deep File Inspection to focus on the semantic content of the file)

rule suspect_semantic_entropy_v3
        $magic = "INQUEST-PII=cat" // InQuest DFI Marker
        $long  = /w{128,}/ nocase // long string
        filesize > 1024 and
        $magic in (filesize-30..filesize) and
        math.entropy(0, filesize) >= 5.75 and

Commonly, English text has an entropy under 2. A much higher threshold of 5.75 was utilized here to reduce false positives. Additionally, at least one single long string must be found.

The InQuest platform appropriately identified the file with a threat score of 10. Notice the file entropy is ~7.9 and results form the previously discussed user-defined signature.

InQuest Platform file details with a threat score of 10
File Details.

The following screenshot details the different File Events (signature hits) that resulted from analysis of the file. Notice the seemingly random text discovered by the `suspect_semantic_entropy_v3` signature defined above. This content is indicative of obfuscation techniques used by malware authors.

InQuest Platform file events
File Events.

Within the file, there was also instances of an IPv4 Dotted Quad URL. The link ``, when expanded, pointed to the location shown in the strings view.

InQuest platform strings view in HEX editor
IPv4 Dotted Quad URL.

The PDF below is a view of the document and downloads the following file “INSTR726098292327.doc” when the hyperlink is clicked.

AT&T Malware Lure

HTTP GET Requests

HTTP GET Requests screenshot
HTTP Request.

TCP Stream showing the file that was downloaded.

TCP Stream screenshot

Here is a sample of INSTR726098292327.doc located in the InQuest malware repository: [e6ba4bd149bfa84ab57c7926c7635e162e459d0e9e419bb3c8d8af8e41c043c9](

VMRay happened to have a detailed report on this Word Document that is available [here.](


InQuest was also able to detect the threat within this file with a score of 9 out of 10.

Another example of File details in InQuest Platform
File Details.

Of note, a malicious characteristics signature detecting an “Embedded VB Macro” and a signature identifying suspicious “Microsoft Office Macro with Suspicious String.”

InQuest platform file events for the second example file
File Events.

Within that file, there is a rather convincing statement to enable the macros.

Convincing Malware Lure Graphical Image
Enable Macros.

Looking through the macro, it is heavily obfuscated.

Another example of a Microsoft Office Malware Lure
Obfuscated Macro.

When the macro is enabled, the document downloads and executes a variance of the Emotet Banking Trojan.


In this scenario, a user-defined signature combined with our proprietary Deep File Inspection (DFI) engine exposed a myriad of additional context to aid in detecting threats.