Maldoc: Once More It's XOR, (Sat, Oct 13th)

More from: | SANS Internet Storm Center |

I was asked for help with malicious Word document MD5 7ea8e50ce884dab89a13803ccebea26e.

Like always, I first run on a sample:

As expected, it contains VBA macros. Then I quickly look at the source code of the VBA code in all macro streams (options -s a -v):

I noticed a string that looks like BASE64 at the end of the VBA source code (that’s why I used a tail command in this screenshot). Checking with my tool confirms that this is indeed BASE64:

The output confirms that it is BASE64, although I don’t recognize the binary data (most bytes are not printable characters).

The string is BASE64, and function gFpVdtRecxaZD is most likely a BASE64 decoder function.


Read full article »

About | SANS Internet Storm Center |

The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.

The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet. These devices feed the DShield database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. The resulting analysis is posted to the ISC's main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user.

»Twitter: @sans_isc »YouTube: SANS ISC