When DOSfuscation Helps...
An anonymous reader submitted a malicious document after Brad posted his diary entry "One Emotet infection leads to three follow-up malware infections".
This sample (MD5 dfff3a02e6e6a4d079c12f83dcc2f7a5) is a malicious Word document with VBA macros to launch a powershell command.
The command is "DOSfuscated", and when I analyzed it by extracting strings and contatenating them, I encountered a small problem.
In this video, you can see how I did the complete analysis:
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
×
Diary Archives
Comments