Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-02-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Analyzing an HTA file: Update

Published: 2018-02-05
Last Updated: 2018-02-05 23:10:03 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader asked what the &H?? strings were in the malware I analyzed in my last diary entry. These are numbers in VBA written in hexadecimal.

For analysis, these numbers can be easily extracted with my re-search.py tool and then converted to binary with hex-to-bin.py.

With regular expression "&H..", we can extract all strings starting with &H followed by 2 characters:

When we use a capture group (), re-search will output the capture group in stead of the full matched string:

And then we can convert the hexadecimal digits to their binary values:

In this HTA document, the malware authors tried to obfuscated strings like MSXML2.DOMDocument.3.0 that are used in AV signatures and other detection tools.

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: hta mht
0 comment(s)
ISC Stormcast For Monday, February 5th 2018 https://isc.sans.edu/podcastdetail.html?id=5855
Diary Archives