Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Decoding QR Codes with Python

Published: 2019-03-24
Last Updated: 2019-03-24 17:08:04 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Sextortion Email Variant: With QR Code", I had to decode a QR code. I didn't mention it in my diary entry, but I used an online service to decode the QR Code (I didn't want to use my smartphone).

But what if you don't want to use any online service?

You can also use a Python module: python-qrtools. I installed it on Ubuntu 18 with the following command:

sudo apt-get install python-qrtools

And then I used a simple Python program like this one:

import sys
import qrtools

qr = qrtools.QR()

We received the sextortion email with QR code as a .msg file. These files can be analyzed with

Plugin plugin_msg can help with locating the streams that contain the attachments (images):

The beginning of the content of the attachment data streams indicates that these are .png files: \x89PNG.

Grepping for PNG reveals that stream 3, 11 and 19 contain the .png files:

Extracting the .png attachments to disk:

Decoding the QR code:

Images 1 and 2 don't contain a QR code (False), but image 3 does (True), and the Bitcoin address is displayed.

Didier Stevens
Senior handler
Microsoft MVP

Keywords: QRcode sextortion
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

"VelvetSweatshop" Maldocs
Mar 23rd 2019
1 day ago by DidierStevens (0 comments)

Introduction to analysing Go binaries
Mar 22nd 2019
2 days ago by Remco (0 comments)

New Wave of Extortion Emails: Central Intelligence Agency Case
Mar 21st 2019
4 days ago by Xme (4 comments)

Using AD to find hosts that aren't in AD - fun with the [IPAddress] construct!
Mar 20th 2019
5 days ago by Rob VandenBrink (0 comments)

Wireshark 3.0.0 and Npcap: Some Remarks
Mar 18th 2019
6 days ago by DidierStevens (1 comment)

View All Diaries →

Latest Discussions

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
1 month ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
1 month ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
1 month ago by Russell (0 replies)

sextortion Mail
created Jan 10th 2019
2 months ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)