Note: this report may be incomplete because the AI analysis reached the following limit(s): token. ### Summary The analyzed file (#AID=31#) is a 64-bit Windows DLL (PE32+ executable). According to its metadata, it masquerades as a legitimate Microsoft file named `CertPSam.dll` ("Microsoft® Active Directory Certificate Services Sample Policy Module"). However, anomalous version information, such as the `CompanyName` being set to "Windows (R) Win 7 DDK provider" instead of "Microsoft Corporation", combined with the fact that it is completely unsigned, heavily indicates spoofing. Behavioral static analysis reveals that the DLL functions as a clandestine malware loader. The seemingly legitimate Certificate Services structures and strings are camouflage, likely compiled from Microsoft's public sample code repository to blend in. The genuine, hidden malicious routines resolve network communication APIs dynamically using API hashing to evade static imports. It leverages WinINet APIs to fetch a payload from the internet, allocates memory for it, employs embedded standard AES (Rijndael) cryptography to decrypt the data, and eventually shifts execution control to the retrieved payload. ### Key detections/IOCs **Key Detections:** * **Masquerading & Spoofing:** Pretends to be a Windows native component (`CertPSam.dll`) but lacks a digital signature and possesses anomalous versioning information (`Windows (R) Win 7 DDK provider`). * **API Hashing (Obfuscated Imports):** Critical network and process infection APIs (e.g., `LoadLibraryA`, `InternetOpenA`, `InternetOpenUrlA`, `InternetReadFile`, `InternetCloseHandle`) are deliberately hidden and dynamically imported via a hashing algorithm to thwart static analysis (resolved via hashes like `0x726774c`, `0xf07a8777`, `0xe2899612`). * **Embedded Cryptography:** Contains constants and tables explicitly linked to AES/Rijndael encryption (ARIA T-boxes and S-boxes), used for payload decryption. * **Suspicious Memory & Network Code:** Implements classic loader loops that allocate host memory (`LocalAlloc`), stream payload fragments over the network via WinINet callbacks, construct dynamic executable blobs on the heap, and put the executing thread into an eternal wait (`Sleep(0xffffffff)`) once complete. **IOCs Extracted:** * API Hashes related to the loader's API resolution routine: `0x726774c`, `0xa779563a`, `0xf07a8777`, `0xe2899612`, `0xd46e6bd3` * SHA256: `1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a` ### Evidence The main argument that could suggest the file is clean is the overwhelming abundance of strings native to the legitimate MS sample policy module (such as OIDs `2.5.29.19`, registry keys `CertAuthority_Sample.Policy`, error messages, and Active Directory LDAP strings). However, this is completely dismantled by investigating the cross-references and underlying structure. The legitimate structures are essentially "dead code" or decoy functions. The core logic inside function `npmserver_options_manifest` triggers `sub_1800086f0`. This function explicitly initializes WinINet using known hashes. A network loop is instantiated (using `pcVar6` acting as `InternetReadFile`) streaming bytes into a newly `LocalAlloc`'d memory buffer. Further execution flows directly to isolated arithmetic blocks (`sub_180001670`) containing rigid binary and XOR loops built around AES S-boxes arrays (`crypto::Rijndael_Td2__0xa75051f4U___32_lil_1024`, etc.), indicating that the network output is getting decrypted on the fly before further operations. Such execution chains are strictly native to malware intermediate stages (loaders/downloaders) and provide no valid functional correlation to an Active Directory Certificate Provider module. ### Analyzed Sub-files No embedded sub-files were carved or required analysis in this sample. ### Verdict **Malicious** **Confidence Score:** 100/100 This is a sophisticated loader utilizing API hashing, AES encryption, and metadata masquerading designed to fetch, decrypt, and execute secondary malicious payloads from a remote server while hiding as a benign system DLL.