Have you analyzed malicious Office documents with VBA macros? Did they contain a userform? Like this (MD5 4e0c55054c4f7c32aece5cfbbea02846): Then take a look at the content of the stream with a name that ends with /o: You can see that it contains a URL. Sometimes you will analyze the VBA code of malicious documents, but not find the URL. That's because the URL is stored as a property of a userform. The name of the property can be found in the stream with the name that ends with /f: You can find this property back in the VBA code: Didier Stevens |
DidierStevens 522 Posts ISC Handler Feb 21st 2016 |
Thread locked Subscribe |
Feb 21st 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!