top title background image

Breaking Down an Access-Code-Gated Malware Delivery Chain

Joe Security's Blog

Published on:08.01.2026


 


In this post, we present an interesting malware delivery chain observed through Joe Sandbox Cloud Basic. At first glance, the sample appears difficult to analyze dynamically: execution is gated by an access code, the second stage is protected by time-based checks, and additional packing is applied. As a result, dynamic analysis alone is insufficient to fully uncover the attack.

To overcome these obstacles, we combine Joe Reverser and Joe Sandbox to reconstruct the full delivery chain, from the initial phishing email to the final payload. This case highlights how static analysis can be used to bypass execution barriers and enable effective dynamic confirmation at later stages.


Phishing Email


The attack begins with a targeted phishing email designed to impersonate DocuSign:





 The email contains a link pointing to the following domain (defanged):

hxxps://docu[.]sign-platform[.]app/




For reference, the legitimate DocuSign website is:

https://www.docusign.com/

 



The phishing page closely mimics the original DocuSign site in appearance, increasing the likelihood that a victim will trust the content and proceed. We analyzed the suspicious link using Joe Reverser, which revealed several noteworthy indicators:




A detailed report of this stage is available in the full analysis.

The page ultimately serves a file named:


DocuSign_PackageInstaller.exe


Fake Installer & Second Stage


The downloaded executable was first analyzed in Joe Sandbox. At this stage, the analysis produced no meaningful behavioral results, suggesting evasive behavior or delayed execution logic.



 


To gain deeper insight, we analyzed the same binary using Joe Reverser, which revealed the following key findings:


1. Valid Code Signing Certificate

The binary is signed with a valid PE certificate issued to an organization based in China. The presence of a legitimate signature can help the malware bypass basic trust checks and reduce suspicion.





2. Single-File .NET Bundle

The sample is a single-file .NET bundle containing one main embedded payload, indicating an attempt to simplify distribution while concealing the actual malicious logic.







3. Entry Point With Access Code Verification

At the entry point, Joe Reverser identified logic that verifies a signature and an access code. Initially, this access code was misclassified as phishing-related UI input. In reality, it is used as a verification mechanism.





The entered access code is sent to the command-and-control (C2) server. Only if the code is validated does the malware proceed to download the second-stage payload.


4. Second-Stage Discovery Without Access Code

Despite the access code requirement, Joe Reverser was able to statically identify and retrieve the second-stage payload without providing the code. This is achieved purely through static analysis, allowing the entire delivery chain to be followed even when interactive conditions are unmet.







5. Native Second-Stage Binary and Time Bomb

The second-stage payload is a native binary. Joe Reverser automatically disassembled and decompiled it, revealing a built-in time bomb early in the analysis.

Importantly, the malware does not rely on local system time. Instead, it performs the time check using an online source, making simple clock manipulation ineffective.







6. Packing Detection

Further analysis revealed classic packing techniques, indicating that additional obfuscation layers are applied to hinder reverse engineering.





Final Payload


Currently Joe Reverser doesn't have generic unpacking capabilities - but this might come in the future. Hence we went back to Joe Sandbox and analyzed the second stage payload which is Vidar:




Full Analysis here.

Final Words


This attack chain is particularly interesting due to several factors: the use of a valid code-signing certificate, an access-code–gated second stage, online time-based execution checks, and layered obfuscation. Together, these techniques demonstrate a deliberate effort to evade both users and automated analysis.

The combination of Joe Reverser and Joe Sandbox proved effective in overcoming these challenges. Static analysis enabled the full delivery chain to be reconstructed without fulfilling runtime conditions, while dynamic analysis provided final payload confirmation. This case highlights how both tools complement each other when investigating modern, multi-stage malware campaigns.

Would you like to try Joe Reverser? Register for a free account on Joe Sandbox Cloud Basic and start using it!


IOCS

DocuSign_PackageInstaller.exe

SHA256: 3a7f8b2c1d11f024c24c14ced04c0d4ba64b40eda0f890b393e4a06263fd019a
MD5: 2e012cb0698680cfcb0e569fb22358f6

Registration C2 

hxxp://185.153.198.115/api/submit?code={CODE}

Dropzone C2

hxxps://training-vibe.forum/pe/index.zip
hxxps://training-vibe.forum/dll/index.zip
hxxps://training-vibe.forum/py/index.zip
hxxps://training-vibe.forum/ps/index.zip
hxxps://training-vibe.forum/bat/index.zip

Second stage index.exe

SHA256: CD45112D3EBDAEDC59ADEA8070148C29F378E67F388240183CFD796F50C036C5
MD5: 6DCC64C6BFEC826A4DCC7E5551A7B771