Threat Level: green Handler on Duty: Didier Stevens

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malicious XML: Matryoshka Edition

Published: 2015-03-29
Last Updated: 2015-03-29 10:23:25 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A couple of days ago I received another malicious document (078409755.doc B28EF236D901A96CFEFF9A70562C9155). Unlike the XML file I wrote about before, this one does not contain VBA macros:


But as you can see, it should contain an embedded object. The base64 code found inside the XML object decodes to an OLE file. The single stream present in this OLE file contains ZLIB compressed data (identifiable via byte 0x78). Decompressing this ZLIB stream reveals another OLE file. Which in turn contains an embedded OLE object that turns out to be a VBS script:


And the base64 string in this VBS script is a PowerShell command:


If you are interested to see how you can analyze this sample with oledump, you can take a look at this video I produced.

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Friday Digest - 27 MAR 2015
1 day ago by Russ McRee (4 comments)

Pin-up on your Smartphone!
3 days ago by Daniel (8 comments)

Repurposing Logs
4 days ago by Kevin Liston (3 comments)

Interesting Home Depot Spam
5 days ago by Rick (4 comments)

Watch for updated router firmware!
5 days ago by Rick (0 comments)

PHP 5.5.23 is available
4 decades ago by Kevin Liston (1 comment)

4 decades ago by Kevin Liston (0 comments)

Nmap/Google Summer of Code
4 decades ago by Kevin Liston (0 comments)

View All Diaries →

Latest Discussions

Cryptofortress and variants - Network Enumeration
created 4 days ago by Anonymous (0 replies)

Getting Into Digital Forensics
created 5 days ago by Hel10s (0 replies)

Security Requirements vs. Secure Requirements
created 1 week ago by SecArchitect (0 replies)

Alien Vault Reviews
created 1 week ago by Victor Hugo (3 replies)

Botnet "attacking" our site but I can't figure out why.
created 2 weeks ago by adama (1 reply)

View All Forums →

Latest News

View All News →