|
A reader submitted a malicious attachment:
We can see that this is an ACE file. I remember ACE files, it's an archive format that back in the days (2000) yielded higher compression ratios than RAR. I found a Python library/tool to decompress ACE files: acefile.py. Looking in the source code, I notice it could read from stdin, and that I should be able to pipe the output of oledump into acefile. Unfortunately, this generated an error, and I had to extract the file to disk:
This .bat file is actually an executable:
Sample 3e58ec4fe08d93dd6ec20c7553519d47 was compiled with Visual Basic 6.0. Didier Stevens |
DidierStevens 649 Posts ISC Handler Oct 29th 2017 |
| Thread locked Subscribe |
Oct 29th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
