Note: this report may be incomplete because the AI analysis reached the following limit(s): token.

# Analysis Report: 1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a

## Summary

**File**: PE x64 DLL (251,904 bytes), compiled with MSVC 2019 (v16.11.21). Pretends to be Microsoft's "Active Directory Certificate Services Sample Policy Module" (`CertPSam.dll`), version 10.0.10011.16384, but carries no valid digital signature despite claiming Microsoft authorship.

## Key Detections / IOCs

### IOCs
| Type | Value |
|------|-------|
| URL | `http://www.royalsevres.com/javascript/activex_patch.hwp` |

### Key Detections
1. **URL reference to malicious HWP payload**: The string at EA 209192 references an `.hwp` (Hangul Word Processor) file hosted on a likely compromised website — a classic APT delivery mechanism targeting South Korean entities.
2. **API Import by Hash** (5 instances): Function `sub_180008440` at #AID=29# is a textbook API hash resolver that walks the PEB → InLoadOrderModuleList → Export tables using a rolling hash algorithm. Hashes `0x726774c`, `0xa779563a`, `0xf07a8777`, `0xe2899612`, `0xd46e6bd3` are resolved dynamically — deliberately hiding which WinHTTP/WinINet APIs are called.
3. **AES/Rijndael encryption** (function `sub_180001670` at #AID=29#): Full AES decryption implementation with S-box lookups and key schedule processing — used to decrypt embedded payload/data.
4. **Dynamic string construction** (2 instances at EAs 94760, 105537): Binary data built via MOV imm instructions on the stack — likely encrypted configuration or shellcode.
5. **XOR loops** (9 instances): Suggest data obfuscation or decryption routines.
6. **Extensive code obfuscation**: 14 spaghetti functions and 8 sequential functions — anti-analysis techniques.
7. **Unsigned Microsoft impersonation**: Version info claims Microsoft copyright with no valid certificate (level 4 anomaly).
8. **`ImportByHash` with WinHTTP/WinINet imports**: The DLL imports both `WINHTTP.dll` and `WININET.dll` while resolving additional network APIs dynamically — unnecessary for a legitimate certificate policy module.
9. **Kesakode verdict**: PNGPlugLoader family at 0/100 confidence — too low to be conclusive but consistent with loader behavior patterns.

## Evidence

### File Structure
- Architecture: x64, entry point at EA 69208
- Sections: `.text`, `.rdata`, `.data`, `_RDATA`, `.rsrc`, `.reloc` — `_RDATA` is a non-standard section name
- Exports: `DllRegisterServer`, `DllUnregisterServer`, `DllGetClassObject`, `DllCanUnloadNow`, `npmserver_options_manifest`
- PE checksum not set

### API Hash Resolver (`sub_180008440` at #AID=29#)
Classic PEB-walking API hash resolver: iterates loaded modules, walks export tables, computes rolling hash (`ror13 + byte`), and matches against a target hash. This technique is used exclusively to hide API imports from static analysis — a hallmark of shellcode and malware loaders.

### Network Download Capability (`sub_1800086f0` at #AID=29#)
Uses hash-resolved function pointers (`pcVar3`, `pcVar5`, `pcVar6`, `pcVar7`) to perform what appears to be an HTTP request, reading data in a loop into a dynamically allocated buffer — a downloader component.

### Legitimate Certificate Policy Code
Functions like `CCertPolicySample.#7` (EA 51152) at #AID=29# contain legitimate AD CS policy module logic (registry reads for RequestDisposition, EditFlags, CAPathLength, etc.), but this legitimate code is used as a disguise.

### Crypto Implementation
`sub_180001670` at #AID=29# implements AES decryption using Rijndael T-tables, with support for AES-128/192/256 (key size check at offsets +0x200). This is used to decrypt embedded encrypted content.

## Counter-Arguments
- **Kesakode score is 0/100**: The PNGPlugLoader detection has no confidence, suggesting automated matching rather than definitive identification.
- **Some legitimate AD CS code exists**: The certificate policy module strings and registry interactions are consistent with a real AD CS policy DLL, which could mean legitimate code was trojanized.
- **No direct evidence of C2 communication in disassembly**: The hash-resolved API calls' exact targets are obscured; we infer network behavior from WinHTTP/WinINet imports and the download function pattern.
- **The HWP URL could be an artifact**: While unlikely, a single URL string alone doesn't prove active exploitation.

## Verdict

**MALICIOUS** — Confidence: **85/100**

This is a trojanized Active Directory Certificate Services policy module DLL. The malware:
1. Disguises itself as a legitimate Microsoft AD CS sample policy module
2. Uses API hash resolution to hide network API imports (WinHTTP/WinINet)
3. Contains a network download function that fetches data from the embedded URL `http://www.royalsevres.com/javascript/activex_patch.hwp`
4. Implements AES decryption to decode embedded payloads
5. Uses extensive obfuscation (spaghetti code, XOR loops, dynamic string construction)

The HWP file reference and APT-style tradecraft (API hashing, crypto, trojanized DLL) strongly indicate this is a supply-chain or loader component targeting Korean organizations, likely associated with a state-sponsored threat actor.