Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV. How can one find back the original maldoc? By using a unique identifier as search term. In the cleaned maldoc, the PROJECT stream was still present. As I explained in previous diary entry, the VBA project is password protected. The password is stored as a salted SHA1, encoded, and set as the value of DPB: This value of DPB is unique to the maldoc, and that is the identifier I used to search through VirusTotal's database. I found three documents containing that ID:
The stream modules are intact in the original maldoc: While the second cleaned AV has even more streams cleaned (all VBA project streams):
Didier Stevens |
DidierStevens 649 Posts ISC Handler Aug 31st 2020 |
Thread locked Subscribe |
Aug 31st 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!