Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Yet Another DOSfuscation Sample

Published: 2018-12-12
Last Updated: 2018-12-12 18:42:53 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".
Following this method, Vince found a shell statement:

And then searched for string zOSpqpzMSfs, but couldn't find the PowerShell command.

In the diary entry followed by Vince, I search for a VBA string, that is a string delimited with double quotes: "j9tmrnmi". Because this VBA string is used to identify an object that we can find in the streams of the OLE file.
String zOSpqpzMSfs, what Vince is searching, is actually a VBA variable name, and not a VBA string. The value of this variable is calculated at run time, and is not explicitly stored as an object property:

That is why the method followed by Vince does not work for this sample. You need to find the value of the variable, for example by reverse engineering the VBA statements and then calculate the value accordingly.

But there is also a "quick-and-dirty" method that I illustrated in diary entry "Quickie: String Analysis is Still Useful": just search for long strings (printable character sequences) in the document file, regardless of the internal file structure.
This works for Vince's sample (here I'm grepping cmd to keep the output short):

What we have here, is a PowerShell command obfuscated with a DOSfuscation technique.

This command-line statement selects characters from the string in red using indices in yellow:

to build the following command:

I used Python to do the indexing and concatenation to decode the PowerShell command:

And this PowerShell command is a downloader: a command that downloads and executes a malicious executable.

Notice that this downloader tries 5 URLs:


to download an Emotet variant.

Didier Stevens
Senior handler
Microsoft MVP

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Microsoft December 2018 Patch Tuesday
Dec 11th 2018
23 hours ago by Richard (0 comments)

Arrest of Huawei CFO Inspires Advance Fee Scam
Dec 10th 2018
2 days ago by Johannes (0 comments)

Quickie: String Analysis is Still Useful
Dec 9th 2018
2 days ago by DidierStevens (0 comments)

Reader Malware Submission: MHT File Inside a ZIP File
Dec 8th 2018
3 days ago by DidierStevens (0 comments)

A Dive into malicious Docker Containers
Dec 7th 2018
5 days ago by Remco (0 comments)

Is it Time to Uninstall Flash? (If you haven't already)
Dec 6th 2018
6 days ago by Rob VandenBrink (2 comments)

Campaign evolution: Hancitor changes its Word macros
Dec 5th 2018
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

Dedicated development team
created Dec 5th 2018
1 week ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
2 weeks ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
2 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
3 weeks ago by George (1 reply)

Mobile Forensics tools - suggestions?
created Oct 8th 2018
2 months ago by Gary (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
11 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)