Didier Stevens

Monday 9 March 2015

A New Type Of Malicious Document: XML

Filed under: Malware,My Software — Didier Stevens @ 9:08

Since last week we see XML documents being spammed: they are actually Microsoft Word documents with VBA Macros.

I wrote an ISC Diary entry (I’m a SANS ISC Handler now) detailing the internals of these XML files.

oledump is updated to parse these XML documents.

oledump_V0_0_11.zip (https)
MD5: 02AEF764545213E1B1A5895AD0706F78
SHA256: 162EE94B1A4533956EE2CE0CB13ECDF2FF6C18A0597685E690B8524526FD694E


  1. Very interesting post, thank you!
    Where I can download Clipboard Transformer (in video at 2:45) application? Is it freely available.
    As I can uderstand – 010 editor is from http://www.sweetscape.com/010editor/. Right?

    Comment by Anonymous — Monday 9 March 2015 @ 10:01

  2. I’ll release ClipboardTransformer soon.
    It’s indeed 010 Editor.

    Comment by Didier Stevens — Monday 9 March 2015 @ 10:03

  3. Great work…as always. I am wondering since we don’t have access to clipboardTransformer how could copy the hex data and uncompress it?

    Comment by Anonymous — Monday 23 March 2015 @ 20:52

  4. @Anonymous I posted a beta: http://didierstevens.com/files/software/ClipboardTransformerBeta.zip
    MD5: FF653016801DA4D12F5BB852703E2D7D
    SHA256: 2B9F54145F1396D7FEB259F987DA0315AB168F3FDA03EEEE5AF3BD046223AF7B

    Comment by Didier Stevens — Monday 23 March 2015 @ 21:56

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.