Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Maldoc analysis with standard Linux tools

Published: 2018-07-22
Last Updated: 2018-07-22 17:07:50 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I received a malicious Word document (Richiesta.doc MD5 2f87105fea2d4bae72ebc00efc6ede56) with heavily obfuscated VBA code: just a few functional lines of code, the rest is junk code.

In this static analysis, I will use standard Linux tools as much as possible. But we need to start with to look into the document and extract the macro code:

An analysis method I mentioned earlier, is "grepping for dots". Let's try this here:

With this document, we get a lot of output. Let's get rid of some junk lines like the assert statement:

Still a lot of output. Those lines with "... = Int(...)" look like junk lines too. Let's get rid of them too:

That's better! We see 2 .Run calls, one with argument TextPointer26, that could be a concatenated string, judging by the 2 statemnts with IIf. Let's grep for TextPointer26:

Do you notice something? Let's grep for IIf:

A sequential read of the second argument of the IIf function starts to read as script:http://... We can use awk to extract these strings: by considering each line as a "record" with comma as a separator, the strings we want are in the second "field":

Rests us to cleanup and join these strings byt removing all white-space characters and double-quote. This can be done with the tr command:

This gives us the URL preceded by the "script" moniker (I'll talk about this in an upcoming diary entry).

Please post a comment with your favorite standard Linux tool for (malware) analysis.


Didier Stevens
Senior handler
Microsoft MVP

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

BTC pickpockets are back
Jul 21st 2018
1 day ago by DidierStevens (3 comments)

Weblogic Exploit Code Made Public (CVE-2018-2893)
Jul 20th 2018
2 days ago by Kevin Liston (0 comments)

Reporting Malicious Websites in 2018
Jul 19th 2018
3 days ago by Kevin Liston (2 comments)

Request for Packets: Port 15454
Jul 18th 2018
4 days ago by Kevin Liston (1 comment)

Oracle Critical Patch Update Release
Jul 18th 2018
5 days ago by ScottF (0 comments)

Searching for Geographically Improbable Login Attempts
Jul 17th 2018
5 days ago by Xme (5 comments)

View All Diaries →

Latest Discussions

Windows Long File Path
created Jul 19th 2018
3 days ago by Shishir (0 replies)

Windows Long File Path
created Jul 18th 2018
4 days ago by Shishir (0 replies)

Botnet brute forcing mail accounts?
created Jun 22nd 2018
4 weeks ago by Anonymous (0 replies)

Simple SMTP/network routing questions
created Jun 14th 2018
1 month ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 month ago by David (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
11 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
7 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
11 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
10 months ago by Renato (0 comments)