Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

(Lazy) Sunday Maldoc Analysis: A Bit More ...

Published: 2019-12-14
Last Updated: 2019-12-14 20:08:12 UTC
by Didier Stevens (Version: 1)
0 comment(s)

At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.

Let's take a look at the content of the file and compare that with the file size:

A rough estimate: the total size of the streams is 120 kB. While the file size is around 10 MB. That's a huge difference!

In such cases, I take a look with olemap:

Here I can see that there is extra data appended to the file (position 0x25400) and it's about 10 MB in size.

Extracting the appended data and calculating some statistics gives me:

This tells me there's about 10 MB of 0x00 bytes appended.

Was this done by the malware authors? Or did it happen later, during transmission or storage?

I don't know.

Maybe it was done to bypass scanning, for example when there is a size-limit for files to be scanned. Just speculating ...

Please post a comment if you have an idea.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc nullbytes
0 comment(s)
Diary Archives