Understanding a Composite Document File V2 Document Malware file

Question

I have a malware to analyze with md5sum - 000cbfb28e750f2e321551c03e4fe488
When I run file {malware-file-name} it shows :
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {2FA78889-1A12-4B8C-93FE-9F1F2A6C1FFB}, Number of Words: 10, Subject: ekFW6uNGmArL5v7g, Author: ekFW6uNGmArL5v7g, Name of Creating Application: Advanced Installer 14.8 build 281f49a4fb, Template: ;1033, Comments: This installer database contains the logic and data required to install ekFW6uNGmArL5v7g., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

How do I go about disassembling it and understanding what is this malware doing? br> I tried opening it on IDA. But the function names are all random that doesn't give any hint
on what this is doing. Any hints/ideas/tools how to proceed ?

Answer 1

The file that you are looking at is an MSI installer file. This can be identified by the application which created the file

Name of Creating Application: Advanced Installer 14.8 build 281f49a4fb

MSI installer files use Composite-Document Format(CDF) structure. CDF files are made of streams (files) and Storage (folder). utilities like 7zip can parse CDF files and extract the composite file into streams and Storage. Once extracted, you get the executable files and their components, which can be analyzed.