Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Video: Strings Analysis: VBA & Excel4 Maldoc

Published: 2021-09-25
Last Updated: 2021-09-25 12:46:09 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I did record a video for my diary entry "Strings Analysis: VBA & Excel4 Maldoc", showing how to use CyberChef to analyze a maldoc.

If you are intested in CyberChef, I have more CyberChefs videos here.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)

Strings Analysis: VBA & Excel4 Maldoc

Published: 2021-09-25
Last Updated: 2021-09-25 12:00:25 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Malware analysis is difficult.

But there is one method that everybody can follow, even without command-line skills: strings analysis.

This method consists of running a tool on a binary file, like a maldoc, to extract all plaintext strings. There are command-line tools to do this, and even GUI tools.

Of course, there are many ways to make strings analysis impossible, by making the plaintext strings unreadable. Simple file compression is an example.

Xavier's diary entry "Excel Recipe: Some VBA Code with a Touch of Excel4 Macro" malicious document uses a sophisticated method: it combines VBA and Excel 4 macros to download Qakbot. Despite this complexity, strings analysis can be performed on this maldoc to find the URLs.

I found a similar maldoc on VirusTotal (it's also on Malware Bazaar).

For this diary entry, I will analyze this maldoc with CyberChef:

First step: I add the maldoc as input:

Second step: I search for the strings operation:

Third step: I add the strings operation to the recipe:

If I browse through the output, I will find the URLs. But I want to automate that too.

Fourth step: I search for the regex operation:

Last step: I add the regex operation to the recipe, and configure it to use the buildtin URL regex and output matches only:

Now, these URLs are actually incomplete. The maldoc's script will add a path to these URLs that is a timestamp terminated with ".dat".

But despite that, the IPv4 addresses we found here, are good IOCs to get started.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Keep an Eye on Your Users Mobile Devices (Simple Inventory)
Sep 24th 2021
3 days ago by Xme (0 comments)

Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
Sep 23rd 2021
4 days ago by Xme (0 comments)

An XML-Obfuscated Office Document (CVE-2021-40444)
Sep 22nd 2021
5 days ago by DidierStevens (0 comments)

A First Look at Apple's iOS 15 "Private Relay" feature.
Sep 21st 2021
5 days ago by Johannes (0 comments)

#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports.
Sep 20th 2021
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
5 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
7 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
2 months ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)