|
In part 2, we are going to take a closed look at the image in object 3. First we dump the stream and look at the beginning and end:
FF D8 is the Start Of Image Marker of a JPEG image.
FF D9 is the Eod Of Image Marked of a JPEG image. It's likely that we are indeed dealing with a JPEG image, and not something else. Next I check if I can find strings inside the JPEG image:
With my maldoc YARA rules (maldoc.yara found in the oledump.py ZIP package) I can search for shellcode:
The second line will perform the same scan, but with decoders to see if the shellcode is encoded with simple encoding techniques (XOR 1 byte, ADD 1 byte and ROL 1 byte). There is no output from these commands, the YARA rules don't trigger: this means we can't find shellcode inside the image. This does not necessarily mean there is no shellcode, but that we can't find any... In part 3, we'll take a deeper look... Didier Stevens |
DidierStevens 604 Posts ISC Handler Sep 4th 2017 |
| Thread locked Subscribe |
Sep 4th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
