|
I took a look at Guy's diary entry from yesterday. This malicious document contains macros that launch a PowerShell command. Like it is often the case with such documents, the PowerShell command will download and execute an executable: MD5 e2d5d1bf5d69a942d99c8ea45fe28ac2. The PowerShell command is encoded and stored in Form1 objects:
Didier Stevens |
DidierStevens 638 Posts ISC Handler Feb 26th 2017 |
| Thread locked Subscribe |
Feb 26th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
