Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Remember ACE files? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Remember ACE files?

A reader submitted a malicious attachment:

We can see that this is an ACE file. I remember ACE files, it's an archive format that back in the days (2000) yielded higher compression ratios than RAR.

I found a Python library/tool to decompress ACE files: acefile.py. Looking in the source code, I notice it could read from stdin, and that I should be able to pipe the output of oledump into acefile. Unfortunately, this generated an error, and I had to extract the file to disk:

This .bat file is actually an executable:

Sample 3e58ec4fe08d93dd6ec20c7553519d47 was compiled with Visual Basic 6.0.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

181 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!