ViperMonkey is still under development, and for this maldoc, it does not manage to execute the code that reveals the base64 payload. But when we use ViperMonkey's option -a to use an alternate parser, we can extract the base64 payload.
The maldoc was delivered inside a password protected ZIP file.
This time, I made a video of the static analysis process:
Aug 10th 2017
2 years ago