A reader asked if a particular Emotet sample was a malformed ZIP file. It is not, and I will explain why you might think it is in this diary entry. I create an example Word document, and save it as a .doc file (OLE file).
Didier Stevens |
DidierStevens 652 Posts ISC Handler Sep 7th 2020 |
Thread locked Subscribe |
Sep 7th 2020 1 year ago |
Thank you for replying to my question.
This might be a better example for malformed zip: e7a8dd258aefb376f23ef3d68e233e5e5f6c5f277303652d614252f7e1ef00ac For me this is an unusual malware. For Emotet: When the url's were in an 'o'-stream, it was easy to analyse with oledump. For the latest versions this helped: https://github.com/infsec-consult/emotet-url-extractor |
Anonymous |
Quote |
Sep 8th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!