Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Analyzing an HTA file: Update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing an HTA file: Update

A reader asked what the &H?? strings were in the malware I analyzed in my last diary entry. These are numbers in VBA written in hexadecimal.

For analysis, these numbers can be easily extracted with my re-search.py tool and then converted to binary with hex-to-bin.py.

With regular expression "&H..", we can extract all strings starting with &H followed by 2 characters:

When we use a capture group (), re-search will output the capture group in stead of the full matched string:

And then we can convert the hexadecimal digits to their binary values:

In this HTA document, the malware authors tried to obfuscated strings like MSXML2.DOMDocument.3.0 that are used in AV signatures and other detection tools.

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

241 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!