Submitting a malware Word document

Cuckoo Malware Analysis

October 2013


Analyze malware using Cuckoo Sandbox

(For more resources related to this topic, see here.)

We will submit a document dealing with Iran's Oil and Nuclear Situation. Perform the following steps:

  1. Open a new tab in the terminal and type the following command:

    $ python utils/ --platform windows –package doc shares/Iran\'s\
    Oil\ and\ Nuclear\ Situation.doc

    In this case, the document is located inside the shares folder. You have to change the location based on where your document is.

    Please make sure you get a Success message like the preceding screenshot with task with ID 7 (it is the ID that depends on how many times you tried to submit a malware). Cuckoo will then start the latest snapshot of the virtual machine we've made. Windows will open the Word document.

  2. A warning pop-up window will appear as shown in the preceding screenshot. We assume that the users will not be aware of what that warning is, so we will choose I recognize this content. Allow it to play. option and click on the Continue button. Wait a moment until the malware document takes some action. The VM will close automatically after all the actions are finished by the malware document. Now, you will see the Cuckoo status—on the terminal tab where we started Cuckoo—as shown in the following screenshot:

We have now finished the submission process. Let's look at the subfolder of cuckoo, in the storage/analyses/ path. There are some numbered folders in storage/analyses, which represent the analysis task inside the database. These folders are based on the task ID we have created before. So, do not be confused when you find folders other than 7. Just find the folder your were searching for based on the task ID.

When you see the reporting folder, you will know that Cuckoo Sandbox will make several files in a dedicated directory. Following is an example of an analysis directory structure:

|-- analysis.conf
|-- analysis.log
|-- binary
|-- dump.pcap
|-- memory.dmp
|-- files
| |-- 1234567890
| `-- dropped.exe
|-- logs
| |-- 1232.raw
| |-- 1540.raw
| `-- 1118.raw
|-- reports
| |-- report.html
| |-- report.json
| |-- report.maec11.xml
| |-- report.metadata.xml
| `-- report.pickle
`-- shots
|-- 0001.jpg
|-- 0002.jpg
|-- 0003.jpg
`-- 0004.jpg

Let us have a look at some of them in detail:

  • analysis.conf: This is a configuration file automatically generated by Cuckoo to instruct its analyzer with some details about the current analysis. It is generally of no interest for the end user, as it is exclusively used internally by the sandbox.
  • analysis.log: This is a log file generated by the analyzer and it contains a trace of the analysis execution inside the guest environment. It will report the creation of processes, files, and eventual error occurred during the execution.
  • binary: This is the binary file we have submitted before.
  • dump.pcap: This is the network dump file generated by tcpdump or any other corresponding network sniffer.
  • memory.dmp: In case you enabled it, this file contains the full memory dump of the analysis machine.
  • files: This directory contains all the files the malware operated on and that Cuckoo was able to dump.
  • logs: This directory contains all the raw logs generated by Cuckoo's process monitoring.
  • reports: This directory contains all the reports generated by Cuckoo.
  • shots: This directory contains all the screenshots of the guest's desktop taken during the malware execution.

The contents are not always similar to what is mentioned. They depend on how Cuckoo Sandbox analyzes the malware, what is the kind of the submitted malware and its behavior. After analyzing Iran's Oil and Nuclear Situation.doc there will be four folders, namely, files, logs, reports, and shots, and three files, namely, analysis.log, binary, dump.pcap, inside the storage/analyses/7 folder.

To know more about how the final result of the execution of malware inside the Guest OS is, it will be more user-friendly if we open the HTML result located inside the reports folder. There will be a file named report.html.

We need to double-click it and open it on the web browser. Another option to see the content of report.html is by using this command:

$ lynx report.html

There are some tabs with information gathered by Cuckoo Sandbox analyzer in your browser:

In the File tab from your browser , you may see some interesting information. We can see this malware has been created by injecting a Word document containing nothing but a macro virus on Wednesday, November 9th, between 03:22 – 03:24 hours.

What's more interesting is that it is available in the Network tab under Hosts Involved.

Under the Hosts Involved option, there is a list of IP addresses, that is,,, and, which are the Guest OS's IP, Network Broadcast's IP, and vmnet0's IP, respectively. Then, what about the public IP This is the IP used by the malware to contact to the server, which makes the analysis more interesting.

After knowing that malware try to make contact outside of the host, you must be wondering how the malware make contact with the server. Therefore, we can look at the contents of the dump.pcap file.

To open the dump.pcap file, you should install a packet analyzer. In this article, we will use Wireshark packet analyzer. Please make sure that you have installed Wireshark in your host OS, and then open the dump.pcap file using Wireshark.

We can see the network activities of the malware in the preceding screenshot.


In this article, you have learned how to submit malware samples to Cuckoo Sandbox. This article also described the example of the submission of malicious files that consist of MS Office Word.

Resources for Article:

Further resources on this subject:

Books to Consider

comments powered by Disqus